Cybercriminals are Defeating MFA/2FA to Access Your Online Accounts

HOW THE ADVERSARY-IN-THE-MIDDLE (AiTM) PHISHING SCAM WORKS

August 2023 | Nextworks

You are likely rather familiar with multi-factor authentication (MFA / 2FA) by now. Logging into the myriad of the online services you use daily can trigger a text message to your phone or require a code from an Authenticator App. This additional security step is an effective mechanism to help protect your identity, finances, and data.

MFA allows you to prove that it is indeed you, and not a cybercriminal, who is trying to access your bank account, health records, etc. We highly suggest enabling MFA whenever possible. You can usually enable MFA in your account settings. While MFA does pose some inconvenience, it’s a prudent safeguard.

Refer to our related 2022 article “How the #1 Email Scam Works” to understand how MFA can help keep you safe.

It would be nice to end here on this note: Cybercriminals are everywhere. Setup MFA on all your accounts. Sleep well at night.

Unfortunately, it’s no longer that simple. Cybercriminals now have several tricks to work around many MFA safeguards. Let’s explore one of their tricks: Adversary-in-The-Middle (AiTM) Phishing.

AiTM is not new. It’s been around for a few years. However, as more people activate MFA on their accounts, conventional Phishing is less successful. So AiTM Phishing attacks are becoming more common. Microsoft reports that since September 2021, MiFA Phishing has targeted more than 10,000 organizations.

What is AiTM Phishing?

As the name suggests, an AiTM attack places an agent in between you and the online service you are logging into. This agent shares information between the two parties and thus can hijack access to your account.

The below image explains the AiTM phishing process. (credits: Microsoft)

How AiTM Works

This process can also be explained using the following example.

You receive an email from your bank claiming that a $8,900 draft has triggered a security alert on your account. The email contains a link to log into your account to review the transaction.

The email appears to be legitimate. It’s clear, has your bank logo, and contains a recognizable link with "usbank.com" in the address. Concerned about the $8,900 transaction, you click the link.

(While the link text in the email shows "usbank.com", you didn’t notice that when you mouse over the link, the actual text of the link is "us-ebank-com.gt", and not "usbank.com".)

You now arrive at a counterfeit web site that appears to be the US Bank login page. You don’t notice the unusual "us-ebank-com.gt" address at the top of your browser. You are too busy thinking, “What is this $8,900 charge for?” You promptly enter your username and password to get to the bottom of it.

The web site you are now on is in fact driven by the AiTM software. And now, you have provided the hacker with your online banking credentials. Okay, no big deal, right? You have MFA enabled and they can’t get into your bank account without the code. Well, perhaps they can.

After entering your username and password into the AiTM web site, the hacker then passes those credentials to the actual US Bank web site. US Bank detects that a new, untrusted device is attempting to log in. So, US Bank texts a login notice with a code to your smartphone.

Anticipating this, the AiTM web site now asks you for that code. You type in the code, still thinking you are at the US Bank login page. The hacker then provides that code to the real US Bank web site. And now they are in your account.

Meanwhile, you are presented with a fake US Bank notice that reads “We apologize, but US Bank e-banking is down for maintenance. Please try again later.” You don’t know that your bank account has been compromised, at least for now. This give the hacker the time they need while you wait to try again later.

And that’s how an AiTM Phishing scam works.

What can I do to protect myself?

First and foremost is to get cybersecurity training for you and your staff. Here are a few tips:

In the scenario above, awareness could have thwarted the criminal’s access to your bank account. Web browsers always show the address of where you are in the URL bar at the top. You should regularly be glancing at this as you use the web. You will get to know familiar and legitimate web addresses such as google.com, microsoft.com, wellsfargo.com, etc. Look out for something like amazom.com instead of amazon.com.

Instead of calling phone numbers presented to you, look up the phone number independently. If using the company’s web site, get the number from amazon.com instead of amazom.com. Do the same with links in an email. You can just type in usbank.com instead of clicking the link in an email. Or use a known bookmark that you have been using all along.

Authenticator apps, such as Microsoft Authenticator are more secure than receiving text messages for MFA. Authenticator apps can also provide an interactive interface and incorporate geo-positioning to distinguish you from an AiTM hacker. Microsoft also provides Azure AD Identity Protection allowing your IT team to establish policies to better thwart AiTM attacks.

Conventional MFA is still far better than no MFA at all. Conventional Phishing is far more common than AiTM Phishing. If conventional MFA (text messaging) is your only option, then you should still enable it.

Cybersecurity is a tiered approach. Numerous basic precautions can amount to a lot of protection. But without professional IT help, cyber-safety can be difficult to achieve.

Nextworks can conduct phishing testing for you and your staff. You can review the results from our cycbersecurity portal and see how well your team performed. We have found that additional testing over time results in heightened awareness and solid security.

Contact Nextworks today for a no cost Cybersecurity Assessment.

Or, learn more about Nextworks IT Services.

[ Return to News & Commentary home. ]

[ Return to Nextworks IT home. ]