How Threat Actors Bypass 2-Factor Authentication

Updated: Aug 23, 2021

No time to read? Listen to this article here:


You’re using 2-Factor Authentication (2FA). An excellent choice! After all, isn’t it comforting to know that with 2FA enabled, any attempted intrusion will present an extra layer of protection between your sensitive data and phishing attacks?


Back during the time when I used to operate as a threat actor, I utilized the same set of tools and methods when developing phishing sites - and they are relatively easy to create too. Nowadays, off-the-shelf software can even automate the development of phishing kits, making it easier for Red Teamers to simulate attacks, and for actual threat actors to carry them out. While it’s a relief to know that 2FA prevents this level of phishing, it cannot prevent phishing attacks designed to steal a users’ session cookies.

When I first heard about 2FA, I thought to myself, “Finally. I dare somebody to try and pry this phone from my hand!” However, as with any kind of technology, especially involving security and the “Meatware” that uses it, unfortunately, it is the human element that poses the greatest risk to maintaining your online security. The human element includes both the user and the attacker, as one tries to outsmart the other in a proverbial dance of offensive and defensive strategies for supremacy.



Two-Factor Authentication Simplified


2FA is a process that involves a security system designed to decide if the individual attempting a login is the person they claim to be. The most common forms of 2FA require the user to enter a password and then have physical access to the cellphone or other smart device used when registering the account in order to receive a confirmation code - usually sent via SMS or email, or, sometimes, as an in-app prompt to scan a QR code that’s fundamentally associated with the registered device and the online account. Other forms include biometric fingerprints and facial recognition, as well as specialized physical code-generating tokens. There is, however, a design flaw with these security systems, because their function is simply to establish authentication, not to tangibly prove your identity.


Login attempts from an unrecognized IP address trigger red flags within the security system, which will issue a request to the user to confirm if the login was attempted by them or not. This means that even if an attacker has obtained your username and password, the credentials are useless against the 2FA due to the necessary physical involvement.



Session “Cookie” Hijacking: One Of Several Threat Vectors


When it comes to cybersecurity in general, it is important to adopt the mindset that nothing is hacker-proof, sadly because it gives you a correct perspective about your online security. When it comes to 2FA security, there are multiple ways threat actors can bypass it without gaining physical or remote access to your smart devices.


One method used to bypass 2FA and Multifactored Authentication (MFA) in general is called Session Hijacking, also known as Cookie Hijacking. I’m not talking about organic chocolate chip treats, but rather, the cookies that are created by web servers whenever a person is browsing a website which in turn, allows the website to remember you every time you revisit it. These tiny blocks of data are stored on your device as well as the web server, which also stores your credentials, what you searched and viewed, and every interaction you made with the website in question.


While extremely useful, 2FA and MFA never eliminated the threat of phishing attacks. These technologies only made it harder for attackers to achieve their goals. Most common garden variety scammers and phishers have a rudimentary knowledge of what they are doing, employing social engineering and general phishing tactics with open source tools to create a proxy web server posing as a trusted domain, hoping to dupe users into entering their credentials for capture. Still, when these authentication systems are enabled, it helps to limit an attacker’s surface area.



How The Attack Works


The first phase of a session or cookie hijacking attack usually starts when a user receives an unsolicited email or SMS text with a link, prompting them to open the message and click the link to login into their account in order to take some form of action. Perhaps the message received is alleging an unauthorized login attempt or some other kind of clickbait to entice the user into interacting with a malicious link, which may appear authentic. It's also worth noting that, lately, these messages can look near-identical to the real thing.


However, when interacted with, the link redirects the user to a duplicate login page of, say, Twitter, but created by the attacker. It’s running on their proxy web server, awaiting to intercept the username and password, and of course, the users’ session key stored within the respective session cookie.


After the user enters their account credentials, they will receive a 2FA prompt, informing them that a code has been sent via SMS. Phone in hand, they input the code they received, and the rest, as they say, is history. It is important to note that the 2FA code is not reusable, hence the importance of the cookie session to the attacker. The attacker needs the user to enter the 2FA code.


The threat vector lies in the fact that services such as Microsoft Outlook, Gmail, and social networking sites like LinkedIn allow a user's cookie session to be reused, making the cookies largely exploitable and susceptible to phishing attacks.


The next phase of the attack is when the threat actor in question reloads the users' session key into a web browser. They then simply refresh his browser, and voila - the account is now compromised. The attacker authenticates as the unsuspecting user, and the user's session has now been hijacked. As you see here, obtaining the username and password isn’t even necessary to complete this type of security breach.


Social media platforms that shoot email notifications to their users whenever someone sends a message or wants to join their network provide an additional attack vector because all the attacker has to do is send convincing spoofed emails to the user to trick them and begin the process.


In many instances, a threat actor can also use the "forgot password” feature, and, if 2FA is enabled for your account, you will receive the code sent to your phone or email account, prompting you to choose an action.


Final Thoughts


Needless to say, don’t stop using 2FA and MFA authentication security systems just because they’re still vulnerable to certain types of attacks. In the case of cybersecurity, any system is vulnerable under certain conditions. However, the extra layer of security these methods provide does make a difference, and selecting not to apply them to your accounts expands an attacker's options, also called an attack surface, significantly.


Underskilled cybercriminals are in abundance, and while they may be able to set up an open-source phisher after following step-by-step instructions found online, there is an additional step when attempting to hijack session cookies due to an enabled 2FA, limiting the scope of an underskilled intruder’s abilities if they don’t know how to execute this kind of attack.


Regardless of skill, 2FA and MFA can also act as deterrents to less ambitious intruders.


An article by

Jesse McGraw


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

224 views0 comments