MFA fatigue attacks are on the rise
In this month’s newsletter, we highlight a growing form of attack: MFA fatigue. Just as MFA has become more widely used, attackers have found a way to get around MFA push notifications. This identity-based attack is designed to remove security barriers and is sure to put companies and individuals on high alert.
What is MFA fatigue?
MFA fatigue, also known as MFA bombing or prompt spamming, is an attack that bombards a user’s authentication app with multiple push notifications. If the prompt is verified by the user, the hacker gains access to an account or device.
How does the attack work?
- The attacker has already gained some credentials, like usernames and passwords, possibly through a phishing email
- The attacker uses these stolen credentials to log into a protected account that uses an MFA push notification to verify
- The attacker requests the verification repeatedly, waiting for the user to verify
- The user gets frustrated with the number of push notifications they receive and gives in and verifies the request
- The attacker now has full access to the account
Authentication and identity provider Okta states: “The issue here is not user behavior or weak MFA, but a lack of systems designed to thwart these kinds of attacks before they gain traction.”
Safety tips
- Know what to look for: ecome familiar with MFA attacks, so you feel prepared if you encounter one
- Know how to react: If you think you are being attacked, report the situation to the proper team and immediately change your password(s)
- Stay alert: With the amount of logging in and out each day, security can easily slip your mind!
- Stay engaged so you can be ahead of the hackers
Attacks making headlines
CashApp — Insider threat
In April 2022, a disgruntled former employee hacked into CashApp’s servers. They managed to access customer data, stock trading records, valuable financial information and much more.
Uber — Social Engineering
In September 2022, an 18-year-old hacker deceived their way into one of the largest ride-share companies. Uber stated that the hacker got a contractor's login information and bypassed the company's two-factor authentication.
Nvidia — Ransomware
In March 2022, the hacking group Lapsus$ claimed responsibility for holding Nvidia's proprietary data hostage. The widely used US computer chip-making company hired a group of cybersecurity experts to help respond to the large attack.
Hook, line and phished — phishing attacks rise over 60% in 2022
Phishing is one of the most common methods of cybercrime. According to the Interisle Consulting Group, phishing has risen 61% in the last year. No company or individual is safe from receiving a phishing email and becoming a target.
Cryptocurrency companies are now on high alert, as their field is being phished more and more. Interisle found the increase to be over 250% year-to-year for these companies. Hackers are targeting wallets and exchanges at a rate so high it seems no one is safe.
For more information on the rise of phishing emails, see here.
Tuesday Training… "Social Engineering 3”"
Hackers don’t take holidays off! Take a few minutes to learn about common holiday scams and attacks, and what you can do to avoid them.