MFA Prompt Bombing: What It Is and How to Avoid It
You've probably already heard before how effective multi-factor authentication (MFA) is at protecting your network from identity-related attacks. However, people don't tell you that, like any tool, it's only effective when you use it right.
Our team at Intelligent Technical Solutions (ITS) recently witnessed a spike in MFA attacks within our clients' networks. Thankfully, we dealt with them before they could cause any damage.
However, we did notice something interesting after investigating the incidents: they all utilized a method that we are beginning to see more frequently called MFA Prompt Bombing. It's a method that takes advantage of your psychology to help attackers infiltrate and access your accounts.
In this article, we'll dive into what it is and what you should do to protect against them.
What is MFA Prompt Bombing?
Have you ever received unexpected MFA approval prompts at odd times? If you have, only hit “Approve” if you're sure you're the one logging in; multiple random prompts could signify that you are under an MFA Prompt Bombing attempt.
The idea behind the attack is simple: A cyber actor obtains login credentials for an account with MFA. Then they bombard a legitimate user with authentication requests hoping for MFA fatigue to kick in. The goal is that you might accidentally approve one of the requests in frustration trying to get rid of the annoying notifications on your phone. Once that happens, the attacker will have complete access to the compromised account.
MFA prompt bombing works best with authentication requests involving phone calls or texts, but hackers can do it with any "phishable" factors.
In addition, this method gets more complicated when a platform supports push-based MFA authentication. That's because you could end up in a situation where a single tap, whether intentional or unintentional, can lead to severe consequences.
How to Tell You're Under Attack
MFA prompt bombing is done in any number of ways. An attacker could send you a stream of authentication requests nonstop, trying to frustrate you. Or, they could send just a few requests daily, hoping you will get careless.
For a better idea of how to spot these attacks in the wild, let's take a look at a few real-world examples.
Suspected Russian hacker group Nobelium has been observed to have abused MFA push notifications in the past. According to a study by security firm Mandiant, the gang members would issue multiple MFA requests to the end user's legitimate device, bringing up a push notification. They will do this continuously until the user unintentionally accepts the authentication request.
Lapsus$, another hacking group, has also taken advantage of the attack method. In the group's official Telegram channel, one member wrote:
"Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device."
Whatever the method used, the easiest way to spot this attack is to ensure that you are the one who initiated the authentication request. If you're not trying to log in at the time of the notification, then that should immediately raise the alarm that something's not right.
3 Ways to Protect Against MFA Prompt Bombing
Cases of MFA prompt bombing are on the rise. Don't fall victim by taking note of the following ways to protect against them:
1. Never approve uninitiated MFA prompts.
Imagine getting a phone call from IT Support asking you to verify an authentication request. If you verify that request, you could be putting your business at risk. It could be a social
engineering tactic designed by cybercriminals to manipulate you into approving their MFA request. As a rule of thumb, never approve uninitiated MFA prompts unless you can confirm the identity of the individual requesting access to your account first.
In addition, avoid unnecessary risks such as giving your MFA codes to another person or accessing MFA-protected data on a personal device.
2. Inform your IT team IMMEDIATELY.
Receiving multiple authentication requests that you did not initiate is considered a red flag. Inform your IT team of such incidents as quickly as possible so they can initiate protocols, like changing your login credentials and setting additional measures to protect your account. The sooner you do this, the less likely your business will suffer from a potential attack.
3. Spread awareness.
The best way to stop this kind of attack is by spreading awareness. So, ensure that everyone on your team knows that MFA prompt bombing attacks are rising. You can leverage your cybersecurity awareness training to inform your team how to spot these attacks and what they should do when they find them.
Ready to Protect Yourself from MFA Prompt Bombing?
MFA is still one of the most cost-effective security measures against identity-related attacks. However, while the method itself is secure, attackers know its weak link – the human factor. Attackers will try to take advantage of that in any way they can to gain access to your data. The recent spike in MFA prompt bombing attempts is proof of that.
Remember, if you keep receiving multiple authentication requests that you did not initiate:
- Never approve unexpected MFA prompts,
- Inform your IT and security team immediately, and
- Spread the knowledge to your team.
At ITS, we are dedicated to helping businesses stay ahead of new and rising cyber threats. Learn more about the steps you need to do to set up your MFA properly and prevent threats like MFA Prompt Bombing by checking out the following:
- Video: How to Set Up MFA for Your Business?
- Video: 15 Ways to Protect Your Business from a Cyber Attack
- eBook: Cybersecurity Awareness Training Program