In case you have not been hearing enough about rampant forms of multi-factor authentication (MFA) abuse, here’s some fresh fuel to make a case and inform the partners that we have a new challenge. Exploitation of MFA has been quite a hot topic recently, and I blogged about this not too long ago to reinforce the point. The same vulnerable elements are unchanged and there is potential that further misuse is rising in this environment. So, let’s talk about what’s new.
Robots (as a service) are automating account takeover fraud, as reported by Microsoft researchers, which demonstrates the vast potential of this hack. That’s the problem at the core. Robots have been set up to perform automated actions for a credential theft use case with an expanded feature around acquiring MFA token logins to defeat step-up authentication when specific scenarios requiring additional friction are a part of the login-control framework. That’s a mouthful, so let’s break it down.
Search engine optimization has created an opportunity for spoofed websites to get to the top of the list on your search results and/or targeted ads. These results can be the first thing a customer sees and clicks on in an attempt to get to your site. There are certainly other ways to get a customer to navigate to a site via methods such as phishing or smishing. So, if this deceptive site is an imposter attempting to get your customer to interact with it, and that customer inputs their username and password credentials in the forms to harvest these for account takeover, this could be problematic, right? This is quite common, in fact, and the industry sees this with high frequency. Techniques exist that bad actors can leverage to industrialize this process.
Scraping legitimate online banking pages to reproduce them elsewhere has made imposter sites look as good as the real thing, and this is bad news for institutions to have to manage the cycle between spoof site detection and takedown of this imposter operating in bad faith. This takedown process can take a few days or more depending on the location of the server and the process that exists between the chain of vendors that offer these services. Effectively, sites like this can be problematic and challenging to operationally contain, and this results in the potential for a few fraud attempts which may get through with each cycle. That’s the starting place for this, but what comes next is very nefarious.
Let’s go back to the newest element that exists in this space, the robots. Let’s say that there is a robot on the other side of that spoofed site harvesting these login credentials and then it navigates to the legitimate online banking site, where the bot inputs these stolen credentials in the form and hits the login button. The legitimate site then sends an MFA request to the legitimate user when it sees a login anomaly from a new or risky endpoint. At this point, the legitimate user takes the bait, as everything looks and appears normal and provides this MFA token to the attacker. Suddenly, the bad guy is in your site, authenticated, and may introduce other elements to redirect the true user from realizing that their online banking has been commandeered by the bad actor.
So, here we are again, with a weakened front door due to manipulation of the end user, and we need to ensure that we can control for this. As noted in the article referenced and in my prior blog post, the industry moving over to FIDO2 resolves some of this risk, removing the customer from the equation and using local authentication will improve outcomes long term. But what is constant is that additional session and transaction monitoring controls are critical as well. Ensuring that in the present state we have appropriate decline and alerting controls for any ATO threat as a deterrent is the right posture for this moment. Setting up these fallback controls and having the ability to recognize an attacker, a bot, or a high-risk sequence of events in an online session is critical in the defenses of digital assets, especially if you can arrest it in flight. As always, demonstrating your agility and readiness to defend the digital domain of your institution favors the first mover’s advantage.