Connect with us

Expert Speak

How Bad Guys are Undermining Trust in Multi-factor Authentication (MFA)



Dr. Renée Burton, Sr Director of Threat Intelligence for Infoblox

Written by Dr. Renée Burton, Sr Director of Threat Intelligence for Infoblox

Over the last several years, the adoption of multi-factor authentication (MFA) has gained momentum. Consumer advocates and government agencies alike recommend that everyone adopt the technology., As is often the case, when something becomes popular, it becomes a target; MFA is no different. Years ago, security campaigns encouraged users to move from easily guessed passwords to stronger passwords containing a variety of characters. In doing so, individuals and enterprises gained a sense of confidence from adopting another defence against criminals lurking on the internet.

But criminals are both persistent and smart: as people got tired of remembering all their now-complex passwords, they started storing them in password “wallets,” which the bad actors then targeted. Essentially, the same has happened with MFA. Multi-factor authentication, also known as two-factor authentication (2FA), adds additional security to online accounts and systems by requiring a user to verify their login request with something beyond their password. As users have become more confident in and reliant on MFA preventing compromise, threat actors began targeting MFA services as they were commercialized into a fairly small number of brokers. In defence, we are introducing a new algorithm class in Threat Insight called Rapid Domain Triage. With this capability, BloxOne Threat Defense customers will be able to automatically block suspicious domains in near real-time and be alerted of activity that will allow them to remediate attacks more quickly.

As Infoblox and others have reported, fake MFA domain attacks have risen greatly in the last 15 months, aided by a cheap toolkit available on the dark market to quickly implement an adversary-in-the-middle (AiTM) attack at scale. While the specifics vary, a common MFA attack works like this:

  • the attacker obtains a set of phone numbers of their targets
  • they register a domain name that is a lookalike to MFA, 2FA, Okta, Duo, or one of a handful of other well-known verification keywords
  • they use a toolkit to send out SMS text messages with some kind of urgent message requesting the user to verify their credentials to an account
  • when the user clicks on the link, the attacker actively interacts with them and intercepts the MFA codes; they may even phone the victim to further the deception
  • the attacker relays the user’s MFA codes into the real system and gains access to the user’s account
  • from there, the actors may perform other attacks to gain further access and escalate their privileges, or they may just steal user information and move on

These phishing attacks are used against consumers and enterprises alike. Infoblox has custom algorithms designed to detect the registration and utilization of MFA-lookalike domains, and we observe both widespread targeting of banking and other financial services, as well as spear phishing of institutions. We have seen a consistent rise in these attacks since June 2022 and detect hundreds of new MFA-lookalike domains every month. Mandiant recently reported that MFA SMS phishing (smishing) is a favourite technique of Scatter Spider, the actor behind the disruption of both MGM International and Caesar’s networks in September 2023.

We detect dozens of these domains queried in customer networks every month. While that may not seem like many, it only takes one successful phish to compromise a network. Software company Retool disclosed that this exact scenario happened to them in late August 2023, impacting nearly 30 of their cloud customers. Like Coinbase had done earlier this year, Retool provided a detailed account of the hack. In the Retool case, a Google setting, designed as a convenience feature for users, allowed the attacker much more significant access to internal networks than they would have gained from a standard AiTM smishing attack. Retool rightfully pointed out that in this case, MFA was no longer MFA because access to a single user’s Google account gave them access to all of that user’s internal applications. The hackers had both successfully targeted the company’s MFA authentication and Google’s MFA synchronization.

The details that Retool provided allowed us to take a closer look at the attack and compare its domains with others we have detected recently as MFA phishing. Retool fell victim to a spear-smishing attack on August 27th. A number of their employees received SMS messages indicating a problem that might prohibit their ability to enrol in healthcare coverage and including a link that appeared to be an Okta login. While most recipients disregarded the text messages, one employee followed the link. In this case, the attacker immediately phoned the employee pretending to be a member of their IT department.

This extra step helped cement employee trust; when the employee provided their MFA credentials, the attacker gained access to their corporate Google account. Unfortunately, they also were able to retrieve the user’s MFA tokens for other applications and penetrate internal networks. As Retool explains, this attack was not the fault of the employee. Hackers like this are con artists, and con artists are successful because they are good at social engineering, not because their victims are stupid. The scenario Retool faced has increasingly been observed over the last 15-18 months, although it was exacerbated by a GSuite setting that synchronized all of their active tokens into the cloud.

The link that the Retool employee clicked on was this:


The second level domain, oauthv2[.]app, was registered the same day it was used against Retool, August 27th. We have found that almost 100% of MFA-lookalike domains are used by the actor within 24 hours of registration. This is in startling contrast to the bulk of phishing domains we observe, where only 55% of them were used the same day they were registered. Many years ago, phishing domains were registered and used immediately, then dropped nearly as quickly, in a rapid cycle.

However, the security industry was quick to develop a response to these tactics including the blocking of newly registered domains and the development of scanning systems that looked for active phishing content based on registration data. Phishers responded by delaying the use of their domains, a practice called strategic ageing. Our data over the last 5 years has consistently shown a trend in phishing toward strategic ageing, with over 30% of domains being first observed in campaigns more than 3 days after registration.

If phishers wait to use their domains, why do those using MFA-lookalikes use them in campaigns immediately? We don’t know for sure, but we suspect it is an attempt to catch security systems unprepared. Unlike common phishing attacks, Retool employees were targeted using specific information about their company healthcare enrollment; this is called spearphishing. In these highly focused attacks, the actor typically creates a domain name that combines terms that reference multifactor authentication, such as 2FA, Okta, MFA or verify; with the company name. In the Retool attack, the domain oauthv2[.]com looks like a verification domain, but the actor added both retool and okta into the subdomains to further their deception. However, this kind of domain is likely to be picked up by domain name-based detection systems like ours. Indeed, it was. By acting quickly, the actor took advantage of the delay in security systems.

While there is no evidence that the domain oauthv2[.]com was used to target other companies, they could easily do so with a structure similar to the one used in the attack. We can see from global passive DNS (pDNS) data that the same actor registered a number of MFA lookalike domains around the same time. They appear to be targeting both general consumers and specific enterprises, based on the breadth of subdomains we observed in pDNS, as well as the other domains they have registered. Several of the subdomains suggest Coinbase, FedEx, ShipBob, and Cox Communications have been targeted, among others.

We detected a likely different actor conducting similar operations in September. The domains com-2fa[.]support, com-2fa[.].help, reset-2fa[.]com, and com-reset[.]help included Coinbase in the subdomains, e.g.,[.]support. Based on our MFA lookalike detections over the past 6 months, Coinbase may be the most targeted of all companies for recent MFA spear phishing attacks, with a fairly constant set of domains designed to fool their customers or employees. Similar to the Retool attacker, this actor runs a range of phishing attacks including lookalikes to various cryptocurrency sites.

While generic MFA lookalikes are common, we also detect a large number of malicious domains that include both a company lookalike and a term associated with MFA. Often the company name will be shortened or misspelled. Financial institutions and internet service providers are common targets of this approach. Examples of such phishing domains observed in September include samtanfe-verify[.]click, 2fa-portal-nsandi[.]com, scotiasecureinfo-verify[.]services, and verify-wick[.]xyz. These domains are lookalikes to entities in banking and Discord bots.

While we detect hundreds of MFA lookalikes every month, we detect tens of thousands of lookalikes of commercial enterprises and services. Frequently threat actors, like the one that attacked Retool, will dabble in a variety of methods to exploit users, including general lookalike phishing domains as well as spear phishing. The actor who registered com-2fa[.]support, for example, also registered coinbase-live[.]support and smart-core[.]fr, both lookalikes to cryptocurrency companies.

The sheer number of lookalike domains we detect demonstrates the burden on users to guard both their home and their workplace. While some security pundits argue that successful attacks highlight the need for more vigilance on the part of users, shaming users for the failure of security systems to protect them is not the answer.  Infoblox has had lookalike detection in place for three years, and specially tuned MFA-lookalike detection since early this year, in order to find and block the domains before they impact our customers. We are constantly refining our approach and learning from events where we failed to detect malicious activity.

Although the Retool compromise came via an SMS message, MFA lookalike attacks are delivered in other ways as well. Phishing emails, compromised and fraudulent websites, and malvertising are all some ways that an attacker can deliver a link. Earlier this year, the US Cybersecurity and Infrastructure Security (CISA) released a joint Cybersecurity Advisory regarding a phishing campaign that involves the malicious use of legitimate remote monitoring and management (RMM) software. In those incidents, the attacker prompted the user to enter a lookalike domain over the phone into a web browser. There are many ways to trick a user into visiting a domain!

Whether you are receiving a prompt for MFA as a consumer or an employee, be sceptical if there is anything unusual about it. Criminals have all day to think about new ways to fool you so it is important to be ever vigilant. At the same time, we in the security industry shouldn’t participate in victim blaming. It is our job to constantly improve our abilities to automatically thwart the bad guys and try to turn the tables on them. With MFA lookalikes and the broad push to adopt the technology, we’ve also given them a way to focus their attention.

We became alarmed by the use of MFA-lookalike domains immediately following their registration for spear phishing attacks early this year. While these attacks are rare, when successful they can be profoundly damaging, as the Retool hack attests. We became aware of multiple instances where we flagged a domain as suspicious a few hours after the attack, including the domain used against Retool. Retool’s attacker was able to use the stolen MFA tokens to access several internal systems and take over 27 customer accounts. All of this took some time, both for the attacker to accomplish and for Retool to discover. With Rapid Domain Triage, Retool would have received an alert for a potential spear phishing attack on their network with all the asset and timing information necessary for them to isolate the device and perhaps even thwart the attacker before they were fully inside their systems.

Cyber Security

Cybersecurity on a Budget: Affordable Cybersecurity Strategies for Small Businesses



According to a survey by Statista, typically, global enterprises dedicate a minimum of 12% of their IT expenditure to information security measures. While larger companies can afford to spend a lot on building a robust cybersecurity strategy, smaller businesses cannot. So, let’s explore some affordable cybersecurity strategies for small businesses that may cost less but have a greater impact.

Train your employees
An article from Forbes found that, annually, 34% of businesses worldwide encounter incidents involving insider attacks. Whether intentional or unintentional, employees tend to be the reason for most data breaches. Per the same article, phishing emails account for 67% of accidental insider attacks.

Phishing attacks mostly instil a sense of urgency in the victim, making it harder for them to think clearly before making a decision. For example, employees may click an email announcement about a bonus that actually came from a malicious outsider impersonating your company’s CEO.

To avoid such mistakes, it’s imperative to train employees on the types of phishing attacks and the ways to identify them. Even going as far as sending a mock phishing email occasionally to test their instincts and educate them can go a long way.

Assess your vulnerabilities
One of the most important cybersecurity strategies is to assess all your risk points by periodically reviewing all your business processes. Pay more attention to teams that deal with a lot of customer data. For instance, sales and marketing teams may handle customer data on a day-to-day basis, so they are at high risk of leaking or mishandling data. Assess their daily activities, create a record of all the risk points, and find ways to mitigate them.

Encrypt your data
Encrypting your data can be an effective method to protect it in case of data leaks. Let’s say a hacker gets hold of your company’s data, but it’s encrypted. Unless the hacker gets the encryption key from you, they cannot access your company’s data. This adds another layer of protection in addition to the everyday cybersecurity best practices that you should be following in your company. So make it a point to encrypt all your data, especially sensitive and critical data.

Limit access to critical data
Not everyone requires access to all data. Try to limit access to critical and sensitive data to fewer employees by basing access on work duties or requiring approval for access, making it a multi-step process to access it. Additionally, periodically review who has access to what data to ensure there aren’t any misallocations of access.

Secure your Wi-Fi
A secure network will reduce the chances of a hack or unauthorized access to your sensitive data. So switch your Wi-Fi to WPA2 or later, as it offers more security. Your business might already be using it, but it’s best to be sure. Additionally, change the name of your SSID and have a strong pre-shared key to keep your Wi-Fi safe from hackers.

Prevent physical theft
Through April 2023, there were 3,785 robberies in London, and 1,765 were of mobile phones. This highlights how important it is to secure your physical assets, as they might contain critical and sensitive information about your organization.

Here are some ways to protect your physical assets, such as PCs, laptops, scanners, and printers:

  1. Restrict unauthorized access to assets.
  2. Install a physical tracker on all devices to track down lost items.
  3. Enable remote wiping of data to erase information if a device is lost.

Cybersecurity strategies are seldom drafted with affordability in mind. However, it is crucial to consider them from a financial perspective, as small businesses are also increasingly susceptible to cyberattacks. These tips can help you take the first step toward creating a secure IT environment. Learn more about cybersecurity solutions for your business.

Continue Reading

Cyber Security

Managed Security Service: Right Choice for Your Company?



Written by Lev Matveev, SearchInform Founder and Chairman of the Board of Directors

75% of information security experts consider insider threats more dangerous than hacker attacks. This is proven by the SearchInform survey conducted annually. Insider threats include data loss, fraud, theft, kickbacks, business on the side, etc. These are serious risks for any business, resulting in major financial losses, reputational damage and fines from law enforcement agencies. Nevertheless, many companies still do not ensure reliable protection against insider threats.

The reasons are the following:

  • Hardware and software for data protection are costly
  • The market lacks data security experts
  • SMEs cannot compete with large enterprises to engage professionals.

According to our 2022 survey, one-third of companies recognize an acute shortage of information security experts and cannot ensure protection in-house. Therefore, in 2019 we decided to launch a managed security service based on our protection solutions, which gives the opportunity to use them without hiring security specialists.

The SearchInform service provides protection against data breaches, internal fraud, document forgery and other violations by employees. It solves the tasks of monitoring employee working hours, compliance with legal and regulatory requirements, and many more.

We take on all tasks that are usually handled by in-house security staff. Our experts install and maintain security software, customize security policies for effective control, constantly monitor the situation in the company, detect incidents and investigate them. The client receives detailed and visual reports, as well as emergency alerts if it is required to take urgent measures and prevent an incident.

Availing the service, the client does not need to hire a security expert and therefore does not need to spend on social benefits, vacations or sick leaves. The client’s business remains protected if a security employee resigns or takes an unpaid leave. At the same time, our analyst has diverse work experience, knows the solutions well and has all the necessary competencies to work with them.  Since we are unacquainted with the client’s employees, our expert will be impartial and will not take anyone’s side. All this allows the clients to save time and money.

When do companies really need MSS?
According to our observations, the service is the best choice for companies with 30-500 employees and without an in-house IS department.  When the staff number increases, top managers can no longer control everything and face a high risk of incidents.

Here are a few common situations when you should choose managed security service.

  1. A company does not have internal security officers or lacks the budget to form a security department. Our service was originated to make data security more affordable. It significantly reduces the company’s costs, as there is no need to purchase software licenses, hardware, or hire a full-time information security officer. 
  2. Full-scale protection is required immediately. Companies often turn to managed security services after an incident has already occurred. It becomes clear that to prevent this in future, it is necessary to implement special security software, purchase additional equipment, and hire a data security officer. These steps will take a lot of time. The service will start protecting your business within 1-2 days.
  3. A company is not sure that the purchase of security systems will pay off eventually. Our service is an opportunity to test them in real conditions and assess whether they are worth purchasing in each specific case. One first month of the service is free.
  4. A company wants to conduct a security audit and get a complete picture of the corporate security. The service allows you to quickly find out what data is stored, where exactly it is stored and whether there are access rights violations. As far as the first month, our expert detects cases of corporate fraud, document forgery and other violations, as well as cases of idleness, business on the side or work for competitors. 
  5. For compliance with regulatory requirements. More and more regulations are being adopted or waiting to be adopted. SAMA, GDPR, and DCC incentivize companies to take measures to ensure data security. Some regulations, such as the UAE Information Security Regulation issued by the United Arab Emirates Telecommunications and Digital Technology Authority, even stipulate the use of DLP as a means of preventing data loss. To avoid the risk of hefty fines or lawsuits for non-compliance, you can use our managed security service.

I believe that outsourced data security should soon become as widespread as outsourced accounting or IT services. It is just a matter of time.

SearchInform offers a free trial version for one month! 

During this month, clients can assess whether the service really meets their needs. According to our experience, 100% of companies discover some kind of problems during the trial, ranging from the idleness of their employees to corporate fraud and confidential data leakage. 70% of companies that request a free trial continue to work with us.

Request a free trial of the service for one month!

Contact us for more information:
Office Address: 10C-15, I-Rise Tower, Hessa Street, Barsha Heights, Dubai, UAE.

– Sponsored Content

Continue Reading

Expert Speak

Five Tips to Stay Out of the Phishing Trap



Written by Bashar Bashaireh, Managing Director, Middle East & Turkey, Cloudflare

Email is the most exploited business application. It is the primary initial attack vector for cybersecurity incidents and contains vast amounts of trade secrets, PII, financial data, and other sensitive matters of value to attackers.

On top of that, email is one of the hardest applications to secure. If it were simple, there would be fewer headlines about business email compromise (BEC) losses topping $50 billion, and fewer breaches resulting from someone falling for a phish. Once an attacker has infiltrated one email account, they can move laterally and impact a wide range of internal systems. Phishing is as common in the public sector as it is in the private sector and besides the obvious financial implications, there is also the issue of damage to the reputation of the enterprise.

Cloudflare recently published its 2023 Phishing Threats Report. The three key takeaways are:

  • Attackers use links as the #1 phishing tactic— and are evolving how they get you to click and when they weaponize the link.
  • Identity deception takes multiple forms and can easily bypass email authentication standards.
  • Attackers may pretend to be hundreds of different organizations, but they primarily impersonate the entities we trust (and need to get work done).

Below are some recommendations that will help organizations stay out of the Phishing trap:

  • Secure email with a Zero Trust approach – Despite email’s pervasiveness, many organizations still follow a “castle-and-moat” security model that trusts messages from certain individuals and systems by default. With a Zero Trust security model, you trust no one and nothing. No user or device has completely unfettered, trusted access to all apps — including email — or network resources. This mindset shift is especially critical if you have multi-cloud environments and a remote or hybrid workforce. Don’t trust emails just because they have email authentication set up, are from reputable domains, or “from” someone with whom you have a prior communication history. Choose a cloud email security solution rooted in the Zero Trust model and make it more difficult for attackers to exploit existing trust in “known” senders.
  • Augment cloud email with multiple anti-phishing controls – A multi-layered defence can preemptively address high-risk areas for email exposure, including:
    • Blocking never-before-seen attacks in real-time, without needing to “tune” a SEG or wait for policy updates
    • Exposing malware-less financial fraud such as VEC and supply chain phishing
    • Automatically isolating suspicious links or attachments in email
    • Identifying and stopping data exfiltration, particularly via cloud-based email and collaboration tools
    • Discovering compromised accounts and domains attackers use to launch campaigns

More organizations are choosing a layered approach to phishing protection. As noted in The Forrester Wave: Enterprise Email Security, Q2 2023, “The email security vendors you work with should demonstrate an ability to connect and share data with each other and with key tools in your security tech stack.

  • Adopt phishing-resistant multi-factor authentication – Any form of multi-factor authentication (MFA) is better than none, but not all MFAs provide the same level of security. Hardware security keys are among the most secure authentication methods for preventing successful phishing attacks; they can protect networks even if attackers gain access to usernames and passwords. Consider replacing MFA methods like SMS or time-based OTP with more proven methods like FIDO-2 compliant MFA implementations.Applying the principle of least privilege can also ensure hackers who make it past MFA controls can access only a limited set of apps, and partitioning the network with micro-segmentation can prevent lateral movement and contain any breaches early.
  • Make it harder for humans to make mistakes – The larger your organization, the more each of your teams will want to use their own preferred tools and software. Meet employees and teams where they are by making the tools they already use more secure and preventing them from making mistakes.For example, email link isolation, which integrates email security with remote browser isolation (RBI) technology, can automatically block and isolate domains that host phishing links, instead of relying on users to stop themselves from clicking.
  • Establish a paranoid, blame-free culture– Encouraging an open, transparent “see something, say something approach” to collaborating with your IT and security incident response teams 24/7 helps get everyone on “team cyber.”Minutes matter during attacks. Establishing a paranoid but blame-free culture that reports suspicious activity — as well as genuine mistakes — early and often helps ensure incidents (no matter how rare) are reported as soon as possible.
Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.