MFA bombing or MFA fatigue, as it is also known, is a new type of social engineering technique that hackers use in particular to compromise employee accounts in large organisations. For example, this type of attack has been seen in organisations such as Uber and Microsoft as recently as 2022.
The method exploits the types of multi-factor authentication that send push notifications of authentication of login attempts to the user, as well as the fact that people can be driven tired and will often get frustrated by endless amounts of messages that can tick in on mobile and interfere.
However, the MFA bombing attack requires that the hacker is already in possession of the victim's login credentials in advance. For the same reason, good password hygiene is the alpha omega to avoid being exposed to MFA bombing.
But all this we will come back to.
Multi-Factor Authentication (MFA) in brief
Multi-factor authentication is an extra layer of security for your accounts. In the past, a username and password were sufficient to protect private accounts, but over time, extra protection became increasingly necessary as hackers got better at illegally forcing their way into accounts using methods like password spraying, dictionary attacks and brute force.
In short, MFA aims to identify the user and verify that it is the user who is logging into a site, not someone impersonating the user.
Therefore, when logging in using MFA, you will need to provide at least two proofs that confirm your identity, one of which will typically be your username and password. These proofs can be divided into different types, including:
- Something you have: e.g. a mobile phone on which you receive one-time passwords, a payment card, or other authentication apps such as Google Authenticator.
- Something you know: such as a PIN or other secure codes that only you know.
- Something you are: which can be biometric data such as your fingerprint or facial recognition.
So MFA makes your accounts more secure because it requires the hacker to know both your regular login details and your extra "proof" (such as being in possession of your mobile) to gain access.
How MFA bombing works
Now you may be wondering how to hack MFA when it is so secure and requires the hacker to have the user's extra proof that confirms their identity. The answer is social engineering.
Social engineering is designed to manipulate the user to gain access to their account or system. In the case of MFA bombing, the hacker plays on human emotions and states such as frustration and fatigue.
Basically, MFA bombing involves the hacker bombarding (hence the name) the user with push notifications until (perhaps) the user finally surrenders, accepts the login attempt and thus gives the hacker access to the account. This is also why it is typically used to bypass the security of MFA via authentication apps, which send notifications precisely when login is attempted. Indeed, in such apps it typically only requires a button click or a swipe to the right to verify the login attempt.
If the victim seems hard to convince, the hacker can also send them emails pretending to be IT support, saying that the notifications are legitimate and need to be approved.
The flood of login attempt notifications can be overwhelming. Typically, victims approve unauthorised login attempts if they are distracted by other things, if they mistake them for legitimate login requests, or simply if they have become frustrated enough with the volume of notifications and therefore want to turn them off by clicking the approve button.
However, there are also more sophisticated types of MFA bombing. For example, hackers may send 1-2 login requests per day for a period of time in order to attract less attention, while the likelihood of the user accepting the login attempt is still relatively high. As with all other forms of hacking, the methods used in MFA bombing are constantly evolving and changing.
Why MFA bombing is effective
It is precisely the use of social engineering that makes MFA bombing so effective.
Hackers even often exploit times for MFA bombing when they know the chances of the victim being tired and unaware are highest. This could be at the end of the working day or in the evening. In some cases, victims have experienced being disturbed by the notifications at night, when the likelihood of them nodding off in frustration, inattention and fatigue is high.
At the same time, it is a new type of cyber threat that many are not prepared for or aware of.
MFA bombing attack on Uber
In September 2022, Uber was subject to a large-scale MFA bombing attack. A hacker called Tea Pot had purchased an Uber employee's stolen login credentials on the dark web, and subsequently the attack quickly took hold. The hacker used social engineering to trick the employee into giving him access to an employee account, and once the employee had approved the login attempt, the hacker was able to register his own device on the account.
This gave the hacker free access to Uber's internal network and privileged administrator accounts, which provided access to additional systems.
The attack resulted in a data breach, with some internal information subsequently exposed on the dark web.
In the wake of the attack, it emerged that it had occurred as a result of MFA bombing. The employee's password had been sold on the dark web after his mobile had been infected with malware. The hacker then impersonated Uber's IT department in a WhatsApp message to the employee, writing that the only way to stop notifications of login attempts was to authenticate one of them.
What you can do to prevent MFA bombing attacks
Fortunately, there are several things you can do to minimize the risk of being hit by an MFA bombing attack. We recommend the following:
- Strong passwords: The most important thing is to have strong and unique passwords, so you can avoid having your personal login details stolen in the first place. Here it can be a good idea to use a password manager that can store all your passwords securely, so you don't have to remember them yourself. Often you can even get the password manager to generate strong and secure passwords for you. These passwords are designed never to be related to you personally.
- Contact IT: If you find yourself getting an endless stream of push notifications from your authentication app, asking you to approve login attempts you didn't make, contact your workplace IT department. This should always set off alarm bells, as it's a clear sign that an intruder is trying to access your account.
- Limit the number of MFA requests: Many authentication apps allow you to limit the number of MFA requests you can receive within a certain time period. This method thus makes it impossible for hackers to bombard you with notifications of login attempt approval.
- Choose one-time codes: You can also choose something as simple as receiving one-time codes rather than using apps that only require you to click a button to approve. This is because it requires you to enter the code you receive yourself, which is not as easy as simply approving by clicking a button.
- Turn off push notifications: Following on from the previous, you can also choose to turn off push notifications altogether. Large amounts of notifications are in fact a prerequisite for MFA bombing, where the purpose is to drive the user tired or promote frustration. In fact, turning off notifications requires you to go into the app yourself and authenticate your logins when you need to.
Multi-factor authentication is an extra layer of security and is always a good idea to use. MFA bombing is just one example of hackers being quick to find a loophole - as they are in any security-enhancing tool. MFA bombing is yet another method based on the exploitation of human emotions and human error.
Emilie Hartmann
Emilie is responsible for Moxso’s content and communications efforts, including the words you are currently reading. She is passionate about raising awareness of human risk and cybersecurity - and connecting people and tech.
View all posts by Emilie Hartmann