MFA Fatigue – A New Favorite Tactic of Hackers to Conduct Big Corporate Breaches

Hackers often tend to use psychological manipulation via social engineering attacks to trick users to give away sensitive information or make security mistakes. There are different types of social engineering attacks used by hackers, such as phishing, baiting, scareware, pretexting, etc. However, there is another emerging social engineering tactic that is becoming a favorite choice of many hackers, i.e., “MFA Fatigue”, which compromises the multi-factor authentication (MFA) process.

When hackers conduct corporate breaches, they target to access insider’s (employee) log in credentials. To do that, they use different tricks, such as phishing attacks, malware, buying data from the dark web, accessing the leaked credentials due to data breaches, etc. Corporations need strong defense including advanced encryption and key management systems to ensure security. One common defense is in the form of multi-factor authentication (MFA).

As the name implies, multi-factor authentication is an extra verification step that is intended to make sure that only the right user is accessing the account. Mostly, a one-time password via a call/SMS or a prompt notification is sent to the user’s smartphone to confirm the login attempt. To bypass this security defense, hackers are seen actively using the MFA fatigue attack that even let them succeed in doing data breaches of high-profile companies, such as Cisco and Uber. In this article, we will discuss everything you need to know about MFA fatigue, including the best tips to protect from such attacks.

What is MFA Fatigue

If a company has set up a notification-based MFA, then employees will receive a pop-up or prompt message that asks them to either approve or reject the sign-in location. Some prompt message also provides the location from where the sign-in request is made. So, in an MFA fatigue attack, the hackers use the stolen ID credentials of employee(s) and keep sending them push notifications to eventually make them approve the request to stop the never-ending stream of approval notifications.

There are also chances that users might keep rejecting the push notification or become doubtful about the hacking attempt, so hackers sometimes also use fraudulent email or call tactics to convince users to accept the sign-in request. In this email/call tactic, they pretend to be from the IT team and ask the employee to approve the request.

MFA fatigue is not just confined to non-stop push notifications, any other MFA approach, such as SMS or voice MFAs can also be compromised. In short, any tactic from hackers that can make the user bypass the MFA check intentionally comes under the MFA fatigue attack.

MFA Fatigue Attacks Are on the Rise

MFA fatigue attacks are on an aggressive rise for the past few years. As per Microsoft, from December 2021 to August 2022, the number of MFA attacks has increased significantly. For example, there were 22,850 Azure AD Identity Protection sessions with multiple failed MFA attempts in December 2021, while the number rose to 40,942 in August 2022.

Hackers have managed to successfully use MFA fatigue attacks to breach the security defenses of high-profile corporate names. Cisco and Uber are two prime cases of MFA scams this year. Let’s quickly look at the attack approach behind both of these high-profile attacks:

• Cisco: One of the Cisco employees was targeted by Yanluowang threat actors that hijacked the employee’s personal Google account synced with the browser and stole the login credentials. Once done, the hackers then started the MFA fatigue attack along with voice phishing attacks, which eventually made the employee accept the log-in approval request.
• Uber: One of the Uber employees was tricked into a social engineering attack that gave hackers access to Uber’s intranet. Once done, they started the MFA fatigue attack by presenting themselves from Uber IT support, eventually convincing the employee to approve the log-in request.

It is evident from the above two attack approaches that MFA fatigue is a serious security concern for companies no matter what level of MFA authentication they have set up.

Constant Sign-in Requests are Turned into Habitual Approval Clicks

It is acceptable that when you do something continuously, it becomes a habit. So, if users continuously receive a sign-in approval request, then they become habitual in accepting those requests. So, there is a very high chance that they will unintentionally accept the sign-in request right away even if it’s not made by them. So, sometimes hackers just have to do is access the login credentials, send the sign-in request, and instantly get access to the account/system. Therefore, habitual approval clicks are giving more support to hackers to deploy MFA fatigue attacks.

Best Tips to Protect from MFA Fatigue Attacks

MFA fatigue attacks have the potential to even compromise a highly secure network. However, there are multiple ways to minimize the chances of becoming a victim of MFA fatigue attacks. Some of the main ones are as follows:

• Don’t always click “Approve”: Employees have to stop the habit of immediately approving any sign-in request. First, ensure that it is either you or an authorized person that is requesting the login, only then approve the request.
• Use Number Matching MFA: Other than the popular MFA techniques like push notification, voice, or SMS, the number matching MFA technique provides more protection. In this technique, the person who is intending to log in receives a combination of numbers that he/she puts in the authentication pop-up message on the smartphone. If the number matches, only then the request is approved. This way, hackers can no longer trick user to approve MFA request.
• Contact IT Admin: If you keep receiving MFA request either via push notification, call, or SMS, then get in touch with the IT team to discuss the matter and verify if they are the ones requesting the access.
• Change Password: Continuous MFA requests give indication that something is wrong and that most likely your login credentials are compromised. So, you should immediately change the password to take the hackers out of the cycle.
• Awareness Training: It is likely that most employees are not well-aware of MFA fatigue attacks. Therefore, a company should conduct awareness training so that employees can instantly detect such malicious activities.

In addition to the above tips, your cybersecurity team can find more protective measures depending on your cybersecurity posture and minimize the chances of MFA breaches significantly.

Wrapping Up

Cybercriminals are working tirelessly to find new tricks to compromise the security of companies. MFA fatigue attacks are an emerging and serious threat, especially for big corporate names that involve thousands of employees. However, if we look closely at MFA fatigue, then the attack is only successful if the victim is unaware of such scams. Therefore, it is a preventable attack, and the above tips can help a lot with it. So, implement preventative measures and protect your company from this emerging and concerning cyberattack.