Bypassing Multi Factor Authentication (MFA)

Two-step or multi-step authentication is a major increase in the security of applications. Let’s make a short list of the different authentication methods that exist:

Something you know: the classic password, a word or key that only you know.
Something you are: any biometrics from your body, such as your fingerprints or a scan of your retina.
Something you have: your smartphone, a smartcard or a token generator.

MFA should be used whenever possible, as it makes it much more difficult for attackers. It is not enough to get the password, they must also manage to get the OTP (One Time Password) which is sent via a secondary channel. It is very common to implement MFA using a code sent via email or to the mobile phone via SMS.

Phishing Attack on MFA Account

Although MFA greatly increases security, it does not prevent users from falling prey to phishing attacks. Even if you have five different authentication factors active, if you click on the wrong link and enter your credentials, you will have nothing to do, the attacker will take over your account.

And that’s what I’m going to show you today, we’re going to break into the LinkedIn account of a user who has MFA enabled, through a phishing attack.

First Steps

To carry out this phishing attack, the first thing we have to do is to obtain a domain with a name similar to the one we want to impersonate. In this case, I have chosen the domain linkedln.com (note that there is an L instead of the second i in Linkedin).

Attackers often use a subtle difference like this in the name to fool clueless users who don’t do a thorough check of the domain name.

Secondly, we need to enable HTTPS on our fake domain. All browsers today will display a warning to the user if a page requests access over HTTP. Also, many users make the association HTTP -> not secure, HTTPS -> secure. Therefore, having HTTPS in our fake domain will allow us to gain a little more trust from the victim.

We must remember that HTTPS simply means that communications between client and server are secure, as they are encrypted. But if the server is controlled by the attacker, you are simply giving them your data… securely.

To get your domain to have HTTPS, you need to verify it with a Certificate Authority, which certifies that you are who you say you are and gives you the SSL/TLS certificate. This used to be a long and expensive process, but Google has had its own Certificate Authority, Let’s Encrypt, for years, which is completely free, so anyone can get HTTPS on their website.

Evilginx

Once we have the web server ready, we have to copy the HTML and Javascript code of the page we want to impersonate, in this case LinkedIn, to make our page look as real as possible. This is where the Evilginx tool comes into play, which allows us to automate the whole process in an easy and comfortable way.

Evilginx has different “phishlets” created by the community. The phishlets are copies of known websites on which the attack can be carried out. Using this tool you can make your website look like any of the most famous services, such as Okta, Github, Amazon, Paypal and of course Linkedin.

These are the commands we need to execute:

config domain linkedln.com – we indicate that the domain name we want to use for our attack is linkedln.com
phishlets hostname linkedin linkedln.com – We can configure different subdomains if we want to impersonate more than one domain at a time. This is not the case, so we return to linkedln.com.
phishlets enable linkedin – We enable the linkedin phishlet. We must have the SSL/TLS certificate and the private key in the Evilginx certificates folder.
phishlets – Check that the phishlet is enabled and the assigned domain is correct.
lures create linkedin – Generate a link for our victim.
lures get-url 1 – Get the link to send to the victim.

Social Engineering

Then comes the part where we have to use any social engineering technique to send the link to the victim and get them to click on it. On opening the link, the victim will see a page exactly like the original one, asking them to log in:

After entering the username and password, the second authentication factor will be requested in the same way as linkedin does:

Once the victim has entered it, they will be able to access their linkedin profile and navigate as if they were on the original web page, because in reality our server has been redirecting all the information entered by the user to the original linkedin page.

Therefore, the victim will not suspect anything and will be able to browse without being aware that we already have everything we need to access their account. If we check the tool, we can see that we have their email address and password. But we have something much more useful that will allow us to bypass the MFA: your session cookie.

Injecting the Session Cookie

When we log in to any web page, the server sends us a session cookie, which is the one we use for the rest of the requests we make to the server. This allows us to browse the website without having to register every time we want to perform an action. The session cookie is used so that the server knows that the request it receives has been sent by a user who is already authenticated and has permission to perform that action.

Therefore, given that we have obtained the victim’s session cookie, all we need to do from the attacking computer is to go to the original linkedin page, add the cookie to our browser and refresh the page to access the victim’s account, without the need to log in.

We can do this manually or use the EditThisCookie plugin, which allows us to import the cookie quickly and easily.

And that’s it! I hope you enjoyed this post. It is important to note that this is not a post against MFA, as it is a very useful technology that greatly increases the security of our accounts. But it is important to understand that if an attacker manages to trick you, they will be able to gain access, no matter how much you fortify your account.