Social Engineering Tactics Evolve to Try and Compromise Accounts and Steal Login Credentials
Social engineering has taken on a new twist, according to cybersecurity experts. This online tactic, which leverages personal details gleaned from the Internet to try and convince a user to take action, is now arriving in the form of multi-factor authentication (MFA) prompts.
These usually arrive as push notifications from an app or unique codes delivered via email or text message. Reports have emerged of both criminal hackers and nation-state actors using this technique with which bad actors attempt to irritate users with repeated MFA alerts. The hope, according to researchers who have studied the new social engineering tactic, is that users will become so annoyed by the prompts that they will unthinkingly accept the request to log in to their account.
By finding publicly available phone numbers and email addresses to which they can deliver personalized messages to devices and accounts. By bombarding someone with repeated alerts—often late at night, when users aren’t thinking as clearly or prepared for spam attempts—hackers attempt to gain access to a legitimate MFA portal, from which they can enroll another device. That shadow device can then be used to steal login credentials or access accounts that contain privileged information.
Other variations on this new social engineering trick include calling the target and pretending to be part of their actual business. If hackers can get the user on the phone, they can often impersonate a company executive or other key contact (discovered, for instance, by scrolling through social media accounts) and try to gain access to passwords or MFA portals. In addition, some hackers will send only one or two MFA prompts per day but at the same time to try and simulate legitimate login procedures.
No matter the method, the goal is usually the same: to steal sensitive information, gain access to protected accounts, and capture company data, often with the hopes of extracting a ransom or financial reward.
How can you protect your information and keep your digital identity safe?
CMIT Solutions has accumulated five tips to protect MFA and login credentials while understanding the threat to small and mid-sized businesses across North America.