Today we are going to talk about a new threat from hackers. You are probably already familiar with Multi-Factor Authentication (MFA). You probably receive text messages with codes in them when you want to log into your bank or credit card accounts. That uses texting as the MFA. However, another form is when you use an app on your phone, for example from Microsoft or Google, that sends a message to your phone asking you to authorize the connection. You press the authorize button on the app and then on the website, you are allowed access. This new attack is known as MFA Bombing and it has shown to be pretty effective as a way of bypassing this security control.
An MFA prompt bombing attack is where cybercriminals send many MFA requests to your phone system hoping that you will approve them by mistake. While MFA is very effective, hackers use simple human error to get around it.
The attacker first needs your login information and from there, they will log in. The MFA request will be sent to you over and over again. Usually, most users would decline these but if you are hit with thousands, it’s possible that you may inadvertently click yes on one. That is what the attacker is counting on.
Keep in mind, this can also happen via SMS or email. You may receive a message asking if you want to allow this access.
The attacker doesn’t have to do this manually. They can use scripts that automate the process for them. This gives them the ability to move far faster than any human can and create thousands or even tens of thousands of MFA requests.
The key to preventing this attack is to remember that if you aren’t trying to log into an account and you receive an unsolicited MFA request, deny it. If you get bombed, take your time and deny all of them. If the website you have MFA set up for allows you to control the number of failed responses, set it to 3. This will put a stop immediately to these types of attacks.
Our devices are being used more and more to handle just about every aspect of our lives. Because of that, attackers are going to look for more ways to use our technology against us.