Man touching phone for MFA showing MFA fatigue

Beating MFA Fatigue: Why Hackers Have Resorted to Prompt Bombing

One of the most significant barriers for cybercriminals when trying to compromise a user account is Multi-Factor Authentication (MFA). MFA is a relatively common cybersecurity strategy that organizations put in place to protect data. In fact, nearly 60% of organizations around the world are using some form of MFA. MFA in principle typically requires an action on a separate device only the employee has access to, which could include entering a time-sensitive code or accepting a push notification. But what happens when users are overrun by notifications? Enter MFA bombing attacks.

In 2022, Microsoft reported more than 382,000 attacks due to MFA fatigue. Perhaps one of the most high profile and successful of these attacks last year was a cyberattack on Uber’s corporate system. After a hacker, associated with the Lapsus$ cybercrime group, purchased stolen credentials belonging to an Uber employee on the dark web, it was quickly established that (after initial unsuccessful entry attempts) the account was protected by two-factor authentication (2FA) measures. To circumvent these measures, the hacker directly contacted the Uber employee via WhatsApp, pretending to be a member of Uber’s security team, and asked the victim to approve the MFA notifications sent to their phone.

The attacker generated repeated 2FA requests to the contractor in an attack technique also known as MFA bombing. The victim eventually approved one of the requests, unaware that a threat actor was generating the alerts. Having successfully entered the system, the cybercriminal had access to the company’s VPN and discovered Microsoft Powershell scripts containing login details of an admin user for the company’s Privileged Access Management (PAM) solution, Thycotic. The hacker also allegedly accessed Uber’s bug bounty reports, which may have contained details of unresolved security vulnerabilities.

This attack could be traced to one approved MFA notification, so imagine this on a bigger scale: MFA prompt bombing.

Prompt bombing preys on alert fatigue

MFA authentication validates a user’s identity by presenting a user with multiple “factors” before logging in. Often, passwords are combined with a secondary form of authentication, such as a smartphone one-time passcode (OTP), the use of an authenticator app (like Google authenticator), using biometric data like facial recognition or a fingerprint, or requiring the use of a hardware authentication device (like a YubiKey).

Another popular MFA tactic is push notifications on another device, which provides cybercriminals with the opportunity to prompt-bomb. Prompt bombing is where a hacker attempts to send multiple requests in a row in order to increase the chance of a victim authenticating the action. For the end user wanting to stop the barrage of notifications, it may just be too tempting to quickly authenticate.

Prompt bombing is a social engineering technique as well – a hacker may impersonate a helpdesk email account or a message from a security team member. When overrun by all of these notifications, users typically experience alert fatigue and simply want them to stop. This is why these types of attacks are sometimes also referred to as ‘MFA fatigue attacking.’

More generally, alert fatigue occurs when an overwhelming number of notifications (or alerts) ends up desensitizing people tasked with responding to them, meaning an increase in accidents or mistakes. While this term is often used regarding cybersecurity professionals who are overrun with security alerts, the concept can also be applied to cybercriminals spamming end-users with notifications to complete an action. The bottom line is when a victim is overrun by notifications that they need to stop, it leaves them little time to think and consider the risks of actioning an otherwise suspicious access attempt.

How can organizations protect against MFA prompt bombing?

Fortunately, there are many steps that organizations can take to protect their users from MFA prompt bombing attempts. This includes limiting the amount of access notifications that are able to be sent, as well as better cybersecurity awareness. Two key factors are risk-based authentication and implementing more effective password policies.

Risk based authentication

One way to support MFA (and reduce the risk of an MFA prompt bombing attack) is by using risk-based authentication mechanisms. Risk-based authentication uses applications to examine signals contained within a login request to understand if there is anything unusual about a request. Examples of the types of information examined could include the geographic location of the request, the number of login attempts, or the time of day the request comes in. The identity and access management system is then able to notify the user of any suspicious activity for further verification, or, in some cases, the account may be disabled.

An example of good risk-based authentication can be found within conditional access policies, which are a good way to mitigate and assess risk because they use signal-based signs to determine if login-requests are suspicious or malicious and can then perform specific actions that remediate any concern. This may include locking a compromised account or forcing users to change their password.

The slight issue with risk-based authentication is it requires organizations to be integrated with services that provide access to risk-based authentication, which may be considered costly.

A cheaper, more easily implemented technique for mitigating such attacks is creating a strong organizational password policy.

Password policies: It’s time to reconsider traditional approaches

Passwords underpin almost all systems. MFA is a great tool that can provide an additional layer of support for accounts, but, ultimately, when an attacker can trigger MFA prompts for the user, that means that a password has already been compromised. As referenced earlier, in the Uber breach a hacker had already accessed stolen credentials yet ran into additional difficulties when it was quickly established that MFA methods were in place. More generally, an attacker may have access to passwords via breached password lists of previously breached accounts or they may have successfully brute-forced a user’s password.

What secure password policies aim to do is help users create strong, unique passwords or passphrases that haven’t been breached or compromised elsewhere. To establish a good password, users must:

1.     Avoid common or guessable words

Worryingly, the Specops 2023 Weak Password Report found that the most common base term found in passwords used to attack networks across multiple ports is still ‘password’. By avoiding easily guessable terms (like password or the organization’s name), it becomes harder for cybercriminals to gain access. Hackers may become frustrated with attempting too.

2.     Consider complexity

One approach to creating a strong passphrase is by requiring end-users to meet complexity requirements, such as minimum length requirements and requiring special characters. However, the 2023 Weak Password Report also showed that 83% of compromised passwords satisfy the password length and complexity requirements of regulatory password standards. Therefore, it’s important that organizations consider investing in a custom dictionary or compromised password screening to mitigate any additional risk.

3.     Embrace the passphrase

One of the strongest ways end-users can create a good password is by choosing three random words that mean nothing to anyone but themselves. Users should consider deliberately misspelling one of the words to add an additional layer of security.

The future of MFA

It’s crucial to remember that a single layer of security is never enough, especially as cybercriminals become more sophisticated. Whilst easier said than done, the best way to protect organizations from MFA prompt bombing attacks is to stop passwords from becoming compromised in the first place. In most MFA setups, a password is the first step. That’s why a strong password policy, alongside additional measures like password requirements and making sure breached passwords are not able to be used again, is key for protecting end-users. Equally, making sure all employees are up to date with cybersecurity awareness training is important for risk management too.