Bylines Cloud Security Cyber Safety Identity & Access

To Trust or Not to Trust: Multi-Factor Authentication

Yong Kwang Kek December 2, 2024

3 minutes read

By Yong Kwang Kek, Senior Director – Technical Sales, APJ at Infoblox

What do smart video doorbells and multi-factor authentication (MFA) share in common? Both were designed to enhance security and improve user convenience, yet they have inadvertently fostered a false sense of safety. Relying too heavily on smart door locks may lead homeowners to neglect basic security measures, mirroring how one can become complacent with their cyber hygiene due to the perceived robustness of MFA.

In Singapore, where MFA mechanisms are used to safeguard many digital services, there is a high level of trust in its effectiveness in protecting users’ accounts. While MFA has undoubtedly improved security by requiring additional verification beyond just a password, it’s not impenetrable.

MFA’s widespread adoption has also made it a high-value target for cybercriminals — hackers who see the profit in bypassing this security layer target the weakest link to cybersecurity: people. Threat actors use perceived safety and leverage phishing tactics to obtain the target’s MFA code, effectively unlocking the door to sensitive systems.

This trend prompts critical reflection on our dependency on MFA. Are we over-reliant on it? What are the security gaps of MFA, and how can everyone – individuals and organisations – improve our security posture to counteract these evolving cyber threats

Uncovering how MFA scams happen

Commonly, cybercriminals would create lookalike domains to host fake websites that mimic legitimate ones — for example: www.go0gle.com. When the user accesses the fake website, the cybercriminal actively interacts with the user and intercepts the MFA codes in real time. The latter might even call the victim to further convince the user of the ruse. Then, with the hijacked MFA codes, cybercriminals can gain access to user accounts and compromise the entire network. Some cybercriminals go to great lengths to avoid suspicion, even posing as customer service representatives and contacting victims directly to acknowledge their activity on the fraudulent webpage.

This exact case happened to a US-based software development company called Retool. In August 2023, cybercriminals launched an SMS phishing attack aimed at Retool’s employees. Masquerading as a member of the IT team, the cybercriminals instructed recipients of the SMS to click on a seemingly legitimate link to address a payroll-related issue. One employee fell for the phishing trap, which led them to a bogus ‘lookalike domain’ that tricked them into handing over their credentials. In total, the accounts of 27 cloud customers were compromised.

Vigilance Beats Complacency

In an era where cyber threats lurk everywhere in the shadows, organisations must prioritise DNS monitoring as a way to cast a light into those shadows and see what others would miss. Integrating security controls with DNS servers enables early detection of threats, often invisible to employees, in the initial stages of the threat cycle. By integrating these controls, organisations can identify potential malware, phishing and ransomware attacks before they spread laterally. This reduces the risk of data breaches and cyber-attacks

Business and IT leaders may also explore dynamic alert tools capable of identifying potential spear phishing attacks on their network. These tools provide teams with visibility into identified high-risk lookalike domains or risk profile data. This enables them to make informed decisions to proactively prevent potential network breaches by allowing them to isolate the affected device and thwart the attacker before they can delve deeper into the corporate system.

Moving the Needle

Based on the breadth of subdomains we observed in the global passive DNS data, the cybercriminals responsible for the Retool hack have registered several MFA lookalike domains at the same time. This suggests that they are looking to exploit both general consumers and specific enterprises.

Judging by the sheer number of lookalike domains, it is clear that our cybersecurity strategies must evolve accordingly. Just as a smart home requires more than a smart door lock to be secure, digital security needs more than MFA. It requires continuous monitoring, education on phishing tactics, and a proactive defence strategy, such as DNS traffic analysis and domain monitoring, to identify and neutralise threats before they can cause damage.