Bypassing 2FA - Secret Double Octopus

Every SaaS vendor: “Please add a phone number to keep your password secure.”
Hackers: “Lol”

Two factor authentication is all the rage right now. Consumers and business users alike are encouraged to use 2FA. It is often heralded as the ultimate solution to protect us against the dangers of identity theft and corporate data breaches.

Don’t get me wrong, 2FA is immensely better than a primitive login, but it is still not all that it is made out to be. Here is the deal: passwords are fundamentally unsafe. As long as passwords stay in the mix, defending accounts with additional layers of security (no matter how robust ) is a band-aid solution at best.

2FA fails to address the root cause and the motherload of all breaches – the passwords and the humans who create them. In this post we will focus on methods currently used by threat actors to bypass 2FA to demonstrate that the path to a stronger security and a true peace of mind lies in the realm of passwordless authentication.

How do hackers bypass Two Factor Authentication?

To begin with, hackers can use multiple exploit flows to target password-based 2FA logins, let’s dig into a few common techniques for bypassing 2FA in action:

Necro browser

All genius solutions are simple – this is one of them. Two tools Muraena and NecroBrowser automate phishing attacks that can bypass 2FA. Most defenses won’t stop them for a simple reason – these attacks go directly to the root cause of almost all breaches – the users.

The way it works is the same as any phishing scheme, save for one significant upgrade. Instead of simply creating a fake website that looks like a legitimate one to trick users into typing in their passwords, the toolkit acts as a proxy between the victim and a legitimate website. Once the user attempts to login – the request is sent on behalf of the user to the service. The user, mistakenly thinking that they are on the legit login page, hands in both the password and the 2FA PIN directly into the hands of the attacker.

Behind the scenes, the attacker logs-in using both factors on the actual login page and voila – they have complete access to the system. Fully automatically and in real time. Simple right?

The biggest issue with NecroBrowser is that although the setup for such an attack is relatively complex, since it is a completely automated tool, bypassing 2FA becomes accessible to almost anyone, regardless of their technological prowess.

Man in the browser attack

Man-in-the-browser attacks require some legwork. First, a hacker prepares in advance by infecting an endpoint with a Trojan virus. This is usually done by asking the user “nicely” with the help of phishing, social engineering and spear-phishing techniques.

Once the Trojan is active, the attacker is capable of controlling all of the user’s internet activities. Threat actor gets unabated access to the browser history and activity, and even sees what the user types in. Yes, including passwords.

Many Trojans designed for man-in-the-browser types of attacks can then generate code for extra input fields to appear on websites the user visits, including the ones required for stealing 2FA tokens.

Many users have trusted their browser with too much personal information… They really shouldn’t have.

Man in the browser - Secret Double Octopus

Social engineering and phishing

Manipulating the users into doing their bidding is hackers’ weapon of choice for a good reason: it works. Because social engineering uses human psychology against the users, no technology can effectively block social engineering attacks when passwords, and by extension humans are involved.

There are several ways social engineering can be leveraged to bypass 2FA:

Scenario one: The hacker has user credentials. Goes phishing.

The hacker sends a warning message to the user. The message says something along these lines: “Your user account has been accessed from a suspicious IP address if the IP does not belong to you please reply with the verification code sent to your number.”
At the same time, the hacker uses a username and password to log into the targeted service.
The service provider sends 2FA code to the connected device, thinking that the request came from the user
The user responds to the fake warning message with the verification code they just received

The result: Voila, the hacker was able to bypass the second step of 2FA.

Scenario Two: The hacker has no credentials to get a ride on. Still goes phishing.

The hacker does not know the username, password, phone number or the verification code. And still, uses social engineering and phishing attacks to get all of this (and more.)

The hacker first creates a persuasive email that looks like it is coming from the targeted service itself.
The email has a link that looks real. Once the user clicks the link, they are taken to a fake login page
When the user attempts to login on the fake page, the hacker uses the user credentials to simultaneously sign-in on the real website.
The real website sends a verification code to the number associated with the legitimate user
The user gets the 2FA token and enters it on the fake login site
The hacker gets the code as well and uses it to complete login on the real website.

The result: Voila, the hacker was able to bypass the second step of 2FA.

Privilege escalation

Once attackers have gained access to a corporate account, they then look for vulnerabilities, design flaws or configuration oversights to gain elevated access to protected resources all the way from the user level up to the Kernel level.

Once they have done that, they can manipulate 2FA settings. For example, modify the phone number associated with the account so that the OTP is now sent to the attacker’s device.

Preventing by removing the target – taking the human element out of the equation

In a password-first world humans are the last line of defense against hackers. This is a very precarious situation we got ourselves here, since 100% of data breaches involve humans.

Humans create easy to guess passwords, reuse passwords across services, write them down, share them, and often give them away without even realizing that they are doing it.

To be fair, it is the very nature of passwords that puts humans in the center of the security universe. It is shocking to contemplate, but it 2019, the outdated and outmoded password still remains the most common method of authentication. 2FA doesn’t change that – it only makes the situation a bit more palatable by adding more factors on top.

Basically, hackers can target 2FA authentication in an almost endless amount of ways:

Bruteforce the 2FA PINs
Intercept 2FA PINs “in transit”
Reroute 2FA to attacker’s device
Get 2FA PIN directly from the user, with spoofing and social engineering
Steal session tokens after 2FA occurs and log into the account without going through 2FA at all
Exploit bugs such as 2FA tokens that don’t expire, no rate limiting on 2FA text box.
And here comes the big one: sometimes people just leave huge troves of data lying around that includes 2FA tokens. (Happens more often than you’d think.)

All Hail Passwordless Authentication

The way out of this mess is simple – let go of passwords. Forget password managers and complicated password policies – they haven’t worked in the past, and they definitely won’t work in the future.

Passwordless authentication is 100% human proof. It means that we finally have an authentication method that doesn’t rely on the weakest link in security. It is time to let the whole paradigm of security that relies on user-controlled passwords behind – the technology has finally caught up.

The Octopus Authenticator of Secret Double Octopus is the only passwordless solution offering seamless, mathematically unbreakable authentication that doesn’t require humans to come-up with, manage, memorize or input passwords. Octopus provides the very highest in authentication assurance while completely removing password related hustle from the user experience.