Hacking an Account with MFA? Brute Forcing, using MFA Fatigue, Phishing...
by Dominic Alvieri
February 7th, 2025
SS7 probably has something to do with it
There must be a lot of great hackers nowadays with all the high profile social media account takeovers to start 2025. The NASDAQ stock market, TIME Magazine and Jupiter have all had their X accounts hacked to push crappy fake meme coins.
Sadly it isn't as difficult as it sounds.
What is your favorite method?
SMS or Short Message Service based text messages MFA is one of the top MFA methods used. SMS and voice calling have very poor authentication standards due to a technicality called SS7. Signaling System Number 7 or SS7 is a protocol used which in my hackers opinion allows phone numbers to be spoofed and messages to be hijacked.
You can use brute force, use man-in-the-middle or mobile (MiTMO) attacks, phishing, MFA fatigue or just SIM jack user's mobile but one of the easiest is the social engineering method.
The Master Social Engineer
Social engineering doesn't need a degree but it sure helps. One of the most effective and popular methods is to send an MFA code to the suspect and social engineer from there. Among the other easiest ways to bypass an accounts MFA is to socially engineer the security team claiming that you have lost your device...the device that has the MFA method tied to it. Obviously I have to leave a few details out depending on the tied method of authentication.
For the Security Teams Beware of - "I Lost my Device"
Security teams take note because the kids sure are taking advantage of this one.
Stay safe, online and off.
No comments:
Post a Comment