Imagine Acme Corporation, a mid-sized business with a dedicated accounts payable department. Jane, an accounts payable clerk, handles sensitive financial transactions daily. Acme Corporation uses Multi-Factor Authentication (MFA) to protect its financial accounts, believing this provides adequate security.
One day, Jane receives an email that looks like it’s from one of their regular vendors, asking her to verify some payment information. She clicks the link, enters her credentials, and even approves the login request on her phone. Unbeknownst to her, she has just fallen victim to a Man-in-the-Middle (MitM) phishing attack.
The fake website Jane visited looks identical to the vendor’s login page. After she logs in, she is redirected to the actual vendor’s website, making it appear as though the login was successful. Jane has no idea her credentials were just stolen.
With access to Jane’s account, the attacker can initiate unauthorized transactions, manipulating payment information to divert funds to their own accounts. This leads to substantial financial losses, disrupts relationships with vendors, and causes significant operational disruption as the company scrambles to address the issue.
Why Your Current Security Controls Aren’t Enough
Jane’s story highlights that even standard security measures like MFA can fall short in protecting against MitM phishing attacks. Here’s why:
- Fake Websites Are Convincing: Cybercriminals create fake websites that look exactly like legitimate ones. It’s easy to be fooled, especially when the design and URL appear authentic at a quick glance.
- Real-Time Interception: In a MitM attack, the attacker intercepts information in real time. When Jane enters her credentials and MFA code on the fake site, the attacker instantly captures this data and uses it to log into the real site. This also gives the criminal ongoing access if the site or application allows for a “remember me” functionality.
- Multi-Factor (MFA) Can Be Bypassed: While MFA adds an extra layer of security, it can still be bypassed in a MitM attack. Since the attacker uses Jane’s credentials to log into the legitimate site in real time, the MFA code (or push) Jane provides allows the attacker access just as if they were Jane.
Security Controls for IT/Security to Implement
While MitM phishing attacks are sophisticated, there are steps you can take to protect your business:
- Mutual Authentication Keys: Use mutual authentication, where both parties verify each other before establishing a connection. This can help ensure you’re communicating with legitimate entities.
- Intune Conditional Access: Implement Intune Conditional Access policies to ensure that only compliant devices can access your network. This adds another layer of security.
- Hardware Tokens for MFA: Use hardware tokens instead of or in addition to SMS-based or app-based MFA. Hardware tokens are less susceptible to interception.
Actions You Can Take
- Educate Yourself and Your Team: Awareness is the first line of defense. Regular training can help everyone recognize phishing attempts.
- Verify URLs and Email Addresses: Always double-check the URL and email addresses before entering any sensitive information. Look for slight misspellings or unusual characters.
- Monitor Accounts Regularly: Keep an eye on your accounts for any unusual activity and act swiftly if something seems off.
Conclusion
Account Takeover, via MitM phishing, is a sophisticated threat that can bypass standard security measures like MFA and can quickly lead to full account takeover. By understanding the risks and implementing additional protective steps, you can better safeguard your business against these attacks. Stay vigilant, educate your team, and use advanced security solutions to stay one step ahead of cybercriminals.
At the Vizius Group, we have deep experience in solving this problem in diverse client environments. If you are interested in our help or advice, please reach out. https://www.vizius.com/contact/