Multi factor authentication has long been presented as the gold standard of account security, yet criminal groups have proven it is not a final barrier. Cyber Criminals have developed a diverse set of methods designed to exploit users, corporate processes, and overlooked technical gaps. These methods demonstrate MFA is only as strong as the environment around it.
TYPES OF MULTI FACTOR AUTHENTICATION
MFA is not a single technology but a framework combining multiple layers of verification. Common types include:
- SMS or Email Codes - A one time code is sent via text message or email the user must enter when logging in.
- Authenticator Apps - Time based one time passwords generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy.
- Push Notifications - Services send a prompt to a registered device asking the user to approve or deny a login.
- Hardware Tokens - Physical devices like YubiKey or RSA tokens generate or store authentication codes.
- Biometrics - Fingerprints, facial recognition, or iris scans on the device being used to log-in
- Backup or Recovery Codes - Pre generated codes stored securely by the user in case the primary method is unavailable.
- OAuth or Single Sign On Permissions - Third party app approvals grant access without entering a password for each login.
Understanding these types is critical because different scams target different forms of MFA, exploiting weaknesses in the delivery method or in human response.
REAL TIME PHISHING
One of the most powerful tools is real time phishing. The criminal sets up a fraudulent site mirroring the genuine login page with near perfect accuracy. When the victim enters credentials, the site immediately pushes those details to the criminal. The victim is then prompted for their MFA code, which is instantly forwarded and used to log in to the true service. This method is favoured by groups operating large scale credential harvesting networks, especially the ones running phishing kits designed to bypass MFA. The sophistication is not in breaking the authentication itself, but in creating a convincing environment leading the victim into handing over everything willingly.
MFA types exploited in this attack:
- SMS codes
- Email codes
- Authenticator app codes
- Hardware token codes
- Backup codes
MFA FATIGUE ATTACKS
MFA fatigue attacks have become a primary method for penetrating corporate accounts. Criminals repeatedly send push authentication prompts to the victim until frustration overrides caution. Eventually, many victims accept a prompt simply to make the alerts stop. Once a single approval is given, the attacker gains access. This tactic is widely used by professional intrusion groups relying on psychological manipulation rather than complex malware. Several high profile breaches in recent years followed this exact pattern, proving how human persistence can be weaponised.
MFA types exploited in this attack:
- Push notifications
No other MFA type is vulnerable to fatigue style pressure because they require a deliberate manual input rather than a passive approval.
SIM SWAP FRAUD
SIM swap fraud continues to be a preferred tactic for financially motivated groups. The criminal convinces a mobile carrier to transfer a victim’s telephone number to a SIM card controlled by the attacker. With the number in hand, the criminal receives all SMS codes, voicemail resets, and recovery links. This allows complete takeover of banking, email, and cryptocurrency accounts. The attack does not defeat MFA through technical means. It exploits gaps in customer verification at the carrier level. Organised rings operating the world over have repeatedly used this method to drain investment accounts and take over high value digital assets.
MFA types exploited in this attack:
- SMS codes
- Phone call verification
- Some recovery processes relying on telephone number ownership
Authenticator apps, hardware tokens, biometrics, and OAuth permissions are not directly affected by a SIM swap.
SESSION HIJACKING
Session hijacking bypasses MFA entirely. Malware installed on a victim’s device waits until the victim logs in normally. Instead of capturing credentials, it captures the authenticated session token. This token grants access without triggering any additional authentication challenge. These attacks rely on malicious browser extensions, infected downloads, or scripts injected through compromised websites. The infrastructure behind these attacks is often shared among multiple criminal groups, many of which operate subscription based malware services such as GhostGPT and FraudGPT
MFA types exploited in this attack:
- All MFA types indirectly, because the attacker waits until the user completes authentication
The method does not target the MFA itself but removes the need for it altogether
MALICIOUS APPLICATIONS / MALWARE
Malicious applications are another pathway around MFA. When victims install a trojanised app, the malware can read incoming SMS codes, intercept push notifications, and even display counterfeit MFA screens designed to harvest the victims' responses. Criminal developers embed these functions inside seemingly legitimate utilities such as cryptocurrency trackers, mobile cleaners, and budget management tools. These operations are known to run from structured call center style environments, similar to the ones associated with certain Sakawa influenced cyber fraud groups who specialize in blending social engineering with technical compromise.
MFA types exploited in this attack:
- SMS codes
- Email codes
- Push notifications
- Authenticator app codes
- Backup codes
Biometric authentication is not directly captured unless the device itself is fully compromised at the operating system level.
ACCOUNT RECOVERY MANIPULATION
Account recovery manipulation is one of the most underestimated threats. Criminals contact a victim while pretending to be support staff from a bank, marketplace, or technology platform. They claim the victim’s account is under threat and guide them through an urgent recovery process. The victim believes that the steps will secure their account, but each step actually transfers control to the attacker. Since recovery flows often use email links or SMS verification instead of active MFA codes, the criminal gains complete access without ever needing to bypass the original MFA configuration.
MFA types exploited in this attack:
- SMS based recovery
- Email based recovery
- Backup code recovery
- Any recovery path that bypasses the primary MFA configuration
Hardware tokens and authenticator apps provide little protection when the platform itself allows MFA reset through weaker channels.
OAUTH ABUSE
OAuth abuse is rapidly becoming one of the most dangerous forms of infiltration. Instead of trying to break authentication, the criminal sends a link requesting permission for a third party application to access the victim’s account. Once the victim clicks approve, the attacker gains persistent access without needing credentials or MFA. Many users have no idea what they have granted, and the approval hides itself within the normal permissions list of their account. Some attackers package these requests as file sharing invitations, productivity tool integrations, or workplace collaboration features.
MFA types exploited in this attack:
- OAuth permission approvals
- Any MFA type indirectly, because the attacker avoids using it altogether
OAuth abuse is powerful because it does not break MFA. It sidesteps it completely.
THE PATTERN OF CRIMINAL STRATEGY
These techniques point to one conclusion. Modern fraud groups no longer attempt to undermine MFA directly. They exploit the human surrounding it, the systems supporting it, and the blind spots many individuals and organisations overlook. Their tactics align closely with the behaviour of long running international fraud groups specialised in social engineering and psychological exploitation. As these groups evolve, the long-held expectation MFA alone will prevent account compromise becomes increasingly unreliable.
- Log in to post comments