Blog

Cyber-crime Cybersecurity Phishing

Cybersecurity Awareness Month – MFA Bombing

A recent spate of data breaches have been attributed to users falling for something called MFA Bombing, which essentially is an attacker sending multi-factor authentication (MFA) requests over and over to a user until the eventually authorize access. Attackers have even been known to contact their intended victims, posing as company technical support, to let them know that the only way to stop the repeated requests is to authorize one of them. Then the attacker has authenticated access to the corporate environment.

The recent data breach at Uber was attributed to a third-party contractor authorizing access during a MFA bombing campaign. According to reports, the attacker contacted the contractor, pretending to be technical support after the contractor rejected the first series of authorization requests.

In another instance, Rockstar Games, the developer of the Grand Theft Auto video game, had code and video footage from an upcoming release stolen after an employee was tricked during a MFA bombing attack.

Attackers use these MFA bombing, or MFA fatigue, attacks to wear down victims into giving them access by continually sending alerts to the users. There have been cases as well where attackers will pester victims in the middle of the night, waking them up, in the hopes that the barrage of alerts will cause them to be sloppy and they will gain access just because they want to go back to sleep.

Think of it like this and how you might respond. You are sound asleep, then ding, you get a SMS message about authorizing access. It’s not you so you ignore it. A minute later, ding, another alert comes. Then ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding, ding … you get the picture. At what point do you get frustrated and click on accept just so the alerts stop waking you up?

In Auth0 report, they ask the very important question about how users would view a MFA bombing attack, saying “Would they recognize the onslaught of MFA requests as the signs of an attack, or would they think that the service was simply being ‘buggy’?”.

With MFA being seen as a method to stop unauthorized access, many organizations have implemented the secondary level of controls. However cyber-criminals have been quick to try to find ways to get around those controls and MFA bombing is just one way they have figured out to get users to give them access.