For a long time, two- or multi-factor authentication (2FA/MFA) was considered a bulwark against identity theft when logging in to web services. Because these log-in systems required one piece of information in addition to the password entry, they offered extensive protection against hacker attacks. For example, cybercriminals had difficulty accessing the second access key or numeric code that a user received via SMS or voice message on their mobile device.    

It’s no wonder that 2FA/MFA became the security standard for many online retailers and Internet services – ranging from big players like Microsoft, Google and Amazon to smaller specialist providers like Dropbox. The user radius expanded further when 2FA became mandatory for all online banking transactions in the EU in 2019.

Endless cat-and-mouse game

But early on, state-motivated hackers set out to specifically undermine 2FA/MFA. They used special phishing methods to obtain valuable foreign currency via their victims’ account access data. However, as this security measure became more widespread, it also became a lucrative business for mainstream cybercriminals to attack the 2FA/MFA. Thus, successful hijacking of log-in data can be observed with increasing frequency in the business world, as well as in the private environment of users. This development also makes it clear that cybersecurity is a never-ending cat-and-mouse game: every time new security standards are established in practice, criminals are hot on their heels and find ways to cleverly undermine them. 

For example, cybersecurity vendor Proofpoint reports a growing supply of professional phishing kits available on the darknet for little money or even free. These phishing kits include software that can be used to create arbitrary web pages without any programming knowledge. Thus, even IT laymen are able to imitate the login pages of companies and online services. Users are then lured there with deceptively real-looking e-mails so that they enter their log-in and account data.

“Man-in-the-Middle” remains undetected

The success of this attack method is based on the fact that the fake website serves as a “man-in-the-middle” (MITM) between the two communication partners. In this way, both sides are pretended to be the respective counterpart. Once entered, the usernames and passwords end up directly on the phishing website and are forwarded to the provider website. The verification code that the provider sends to the user’s smartphone via SMS is also intercepted by the phishing website. In this way, the intermediary server can be used to intercept all data exchanged between the two communication partners.

According to Proofpoint security experts, phishing kits of varying complexity are available on the Internet. They range from simple open-source kits with readable code and lean functions to sophisticated toolkits with numerous layers of obfuscation and integrated modules. All kits serve the same purpose: hackers want to get their hands on usernames, passwords, MFA tokens and credit card numbers to steal sensitive data and funds or launch targeted attacks within an organization.

In Part 2, you’ll learn which areas are particularly targeted by 2FA/MFA attack methods and how to protect yourself and your organization.

Do you want to check beforehand if you would recognize a phishing email and get an insight into how to raise IT security awareness in your company? Then sign up for our free demo and get simulated phishing emails and access to our e-learnings in the Security Hub.