Your grandma’s MFA Just Won’t Cut It!

Authored by Scott Dewar.

Ah, the audacity of over-confidence! Picture this: My mum, a bright and competent woman, is chuckling over her morning coffee at the news of yet another scam making the rounds. “Who falls for these things?” she wonders aloud, somewhat smugly, before turning to her level 99 tech-wizard-son to inquire, “Where have the ‘pictures’ (app icons) she clicks on her phone disappeared to?”

The following day, a group of cyber security students share eye-rolling emoji’s, the virtual spaces version of, “pffft, who falls for this nonsense?”, relating to a news article of the latest phishing scam stealing administrator credentials.

Even at a recent cyber security conference, full of seasoned experts, the scoffs and groans of mocking disbelief, cascade around the room, at yet another tale of an IT Support team succumbing to a social engineering attack, unfolding on stage.

The Dunning-Kruger Effect, Confidence Bias, and Illusory Superiority are not merely fancy psychological terms but the invisible forces within our own brains that inflate our confidence, prompting us all to think, “That could never be me!”. Yet, credit where credit is due, it isn’t my mum who keeps leaking the administrator credentials, cookies, and tokens that are readily available for sale on numerous dark-web marketplaces today.

While we collectively scoff at the transparent attempts of mass-distribution phishing scams, laughing at their poorly worded emails —“Congratulations! You’ve won a new Samsung iPhone 19 Pro X!”— we often underestimate the cunning and resourcefulness of cybercriminals who craft meticulous spear-phishing campaigns using tools such as EvilProxy or Evilginx.

The now infamous EvilProxy, one of many, phishing-as-a-service platform, requires only modest technical proficiency to craft and deploy that can bypass once-trusted authentication methods. These seemingly legitimate login pages are available for a variety of services, including Microsoft Office 365, Okta, AzureAD, Gmail, Dropbox, Facebook, PayPal, and Twitter. EvilProxy actively engages with its target, seamlessly relaying authentication requests and user credentials through its pixel-perfect login screens directly to the legitimate service website, becoming an invisible interloper in the communication process. In doing so, it pilfers credentials, copies cookies, and swipes tokens, which can subsequently be used to access the service later, even adeptly bypassing popular MFA methods—a security measure often heralded as a robust defence against unauthorized access.

So how do you beat it?

Embracing a layered security approach isn’t just about building higher walls; it’s about making every potential attack vector difficult, ensuring attackers must work hard to infiltrate your systems. Strong passwords and MFA aren’t enough of a barrier. We recommend the following to add extra obstacles for attackers to fight through:
• Adopt Phishing-Resistant MFA: Using passkeys, FIDO/WebAuthn and Public Key Infrastructure MFA options should be considered for all user accounts and should be mandatory for high-privileged accounts. If the above are not viable, consider mobile push notifications with number matching or token-based OTP and avoid using SMS, email, push notifications without matching, or voice for MFA.
• Establish Network Zones (in particular) for Identity Platforms: Ban access from anonymising proxies and only allow IP ranges within the corporate network. If the corporate network is not available, consider only allowing access to systems from IP, ASN, or geolocation ranges where employees log in.
• Enhance Your Help Desk: Strengthen processes, and consider using visual identity verification methods, and multiple tiers of approval – especially for any credential resets on high-privilege accounts. Ensure help desk roles have the least privileges required and constrain these roles to groups that exclude highly privileged administrators.
• Enable End-User Notifications: Ensure credential reset, new device and suspicious activity end-user notifications are active.
• Integrate SIEM Systems: Log events and patterns including MFA resets/removals and login attempts from proxies or other networks. Action these alerts!
• Constrain Administrative Roles: Limit the use of Administrator Roles and implement privileged access management (PAM) for administrator access. Regularly audit administrator roles.
• Review and Limit the Use of Remote Management and Monitoring (RMM) Tools.
The tales of EvilProxy and similar threats underscore the reality that cybersecurity is not a static field, the bad guys are lying awake, endlessly plotting, innovating, and finding new ways to breach our systems. The strategies outlined above are not mere checkboxes to tick and forget; they require regular evaluation to ensure adaption to the ever-evolving threat landscape. 15 years ago, a complex password was good enough, then SMS MFA protected your systems, now we must look towards phishing-resistant MFA, PAM solutions, Network Zones and properly tuned defensive and monitoring systems.

Image Credit Freepix