TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Attacker Tricks for Taking Over Risk-Based Multifactor Authentication

2021-06-17 · Read original ↗

ATT&CK techniques detected

10 predictions
T1556.006Multi-Factor Authentication
95%
“and makes it more difficult to compromise an account. but it diminishes the user experience, and businesses often design easier paths based on risk assessment. fraudsters and attackers are on the lookout for these easy paths and employ a range of techniques to bypass mfa controls…”
T1556.006Multi-Factor Authentication
86%
“’ s something the user knows ( such as a password ) and something the user has. the second factor is usually a code sent via text message, a hardware token, or a dedicated multifactor authentication app. after entering a username and password, the user must enter the code to comp…”
T1556.006Multi-Factor Authentication
80%
“attacker tricks for taking over risk - based multifactor authentication attackers are always on the lookout to compromise digital identities ( / content / f5 - labs - v2 / en / archive - pages / education / digital - identity - is - an - increasingly - popular - attack - vector -…”
T1111Multi-Factor Authentication Interception
76%
“. about 1, 500 requests were aimed at either logons or change password requests using a genesis plugin that spoofed the attacker ’ s device as the customer ’ s device. these requests, which produced around 900 unique browser fingerprints, were crafted to trick the financial insti…”
T1556.006Multi-Factor Authentication
70%
“enforcing mfa on the first logon. it then subsequently allows transactions from this trusted user device, which may include credit card details stored in a user ’ s profile. this improves the experience for the user, who is not forced to provide a second factor for every transact…”
T1566.002Spearphishing Link
63%
“. about 1, 500 requests were aimed at either logons or change password requests using a genesis plugin that spoofed the attacker ’ s device as the customer ’ s device. these requests, which produced around 900 unique browser fingerprints, were crafted to trick the financial insti…”
T1621Multi-Factor Authentication Request Generation
55%
“’ s something the user knows ( such as a password ) and something the user has. the second factor is usually a code sent via text message, a hardware token, or a dedicated multifactor authentication app. after entering a username and password, the user must enter the code to comp…”
T1621Multi-Factor Authentication Request Generation
41%
“. about 1, 500 requests were aimed at either logons or change password requests using a genesis plugin that spoofed the attacker ’ s device as the customer ’ s device. these requests, which produced around 900 unique browser fingerprints, were crafted to trick the financial insti…”
T1556.006Multi-Factor Authentication
40%
“##s that cannot be reused. rtpps transform phishing from asynchronous to real - time, enabling attackers to capture of mfa codes or the authenticated session cookies. armed with these, fraudsters can impersonate a genuine user and complete transactions. f5 labs, along with shape …”
T1557Adversary-in-the-Middle
32%
“. about 1, 500 requests were aimed at either logons or change password requests using a genesis plugin that spoofed the attacker ’ s device as the customer ’ s device. these requests, which produced around 900 unique browser fingerprints, were crafted to trick the financial insti…”

Summary

From spoofing device fingerprints to hijacking authenticated sessions, attackers use a range of techniques to bypass multifactor authentication.