Researchers at Specops Software describe a technique attackers are using to bypass multi-factor authentication (MFA). In an article for BleepingComputer, the researchers explain that attackers repeatedly attempt to login to an account protected by MFA, which spams the user with MFA requests until the user finally approves the login.
“Cybercriminals increasingly use social engineering attacks to access their targets’ sensitive credentials,” the researchers write. “Social engineering is a manipulative technique used by hackers to exploit human error to gain private information. MFA fatigue is a technique that has gained popularity among hackers in recent years as part of their social engineering attacks. This is a simple yet effective technique with destructive consequences as the hackers are banking on their targets’ lack of training and understanding of attack vectors.”
If the user is unaware of this technique, they may accept the request to make the notifications stop.
“Since many MFA users are unfamiliar with this style of attack, they would not understand that they are approving a fraudulent notification,” the researchers write. “As the MFA notifications appear continuously, a user may get tired and assume it’s an annoying system malfunction; hence accept the notification as they did previously. Unfortunately, this grants the hacker access to the user’s critical infrastructure.”
This technique was used by the Lapsus$ cybercriminal gang to successfully breach Uber in September 2022.
“As these MFA bombing attacks have obvious negative impacts on businesses, companies should ensure that all their critical infrastructures and resources are protected from internal or external threats,” the researchers write. “These attacks can damage a company’s reputation and erode the trust of its customers, leading to a loss of customers and sales volume. Additionally, MFA attacks can disrupt your operations, cause loss of sensitive information and alter your business practices.”
New-school security awareness training can give your organization an essential layer of defense by teaching your employees to follow security best practices.