Traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks.  To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an additional layer of protection against unauthorized access.  Cybercriminals are constantly investigating ways to bypass MFA systems. One such method gaining traction is MFA spamming attacks, MFA fatigue, or MFA bombing.[1]
See: https://redskyalliance.org/xindustry/are-you-still-using-passwords
MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.
There are various methods employed to execute MFA spamming attacks, including:
- Utilizing automated tools or scripts to flood the targeted victims' devices with a high volume of verification requests.
- Employing social engineering tactics to deceive the target user into accepting a verification request.
- Exploiting the API of the MFA system to send a substantial number of false authentication requests to the target user.
By employing these techniques, attackers aim to exploit any unintentional approvals, ultimately gaining unauthorized access to sensitive information or accounts.
Hackers increasingly leverage MFA spamming attack to bypass MFA systems. Here are two noticeable cyberattacks executed using this technique:
- Between March and May 2021, hackers circumvented the Coinbase company's SMS multi-factor authentication, which is considered one of the largest cryptocurrency exchange companies worldwide, and stole cryptocurrencies from over 6,000 customers
- In 2022, hackers flooded Crypto.com customers with many notifications to withdraw money from their wallets. Many customers approve the fraudulent transaction requests inadvertently, leading to a loss of 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies
Mitigating MFA spamming attacks necessitates the implementation of technical controls and the enforcement of relevant MFA security policies.
For the MFA spamming attack to be successful, the attacker must first obtain the login credentials of the target user. Hackers employ various methods to acquire these credentials, including brute force attacks, phishing emails, credential stuffing, and purchasing stolen/breached credentials from the dark web.
The first line of defense against MFA spamming is securing your users' passwords. Your organization's end-user training program should emphasize the importance of carefully verifying MFA login requests before approving them. If users encounter a significant number of MFA requests, it should raise suspicion and serve as a potential clue of a targeted cyberattack. In such cases, it is crucial to educate users about the immediate action they should take, which includes resetting their account credentials as a precautionary measure and notifying security teams.
Organizations should implement rate-limiting mechanisms that restrict the number of authentication requests allowed from a single user account within a specific time frame. By doing so, automated scripts or bots are unable to overwhelm users with an excessive number of requests. By implementing robust monitoring systems to detect and alert on unusual patterns of MFA requests. This can help identify potential spamming attacks in real-time and allow for immediate action to be taken.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.html
Comments