Hackers often tend to use psychological manipulation via social engineering attacks to trick users to give away sensitive information or make security mistakes. Continue reading →
Hackers often tend to use psychological manipulation via social engineering attacks to trick users to give away sensitive information or make security mistakes. There are different types of social engineering attacks used by hackers, such as phishing, baiting, scareware, pretexting, etc. However, there is another emerging social engineering tactic that is becoming a favorite choice of many hackers, i.e., “MFA Fatigue”, which compromises the multi-factor authentication (MFA) process.
When hackers conduct corporate breaches, they target to access insider’s (employee) log in credentials. To do that, they use different tricks, such as phishing attacks, malware, buying data from the dark web, accessing the leaked credentials due to data breaches, etc. Corporations need strong defense including advanced encryption and key management systems to ensure security. One common defense is in the form of multi-factor authentication (MFA).
As the name implies, multi-factor authentication is an extra verification step that is intended to make sure that only the right user is accessing the account. Mostly, a one-time password via a call/SMS or a prompt notification is sent to the user’s smartphone to confirm the login attempt. To bypass this security defense, hackers are seen actively using the MFA fatigue attack that even let them succeed in doing data breaches of high-profile companies, such as Cisco and Uber. In this article, we will discuss everything you need to know about MFA fatigue, including the best tips to protect from such attacks.
If a company has set up a notification-based MFA, then employees will receive a pop-up or prompt message that asks them to either approve or reject the sign-in location. Some prompt message also provides the location from where the sign-in request is made. So, in an MFA fatigue attack, the hackers use the stolen ID credentials of employee(s) and keep sending them push notifications to eventually make them approve the request to stop the never-ending stream of approval notifications.
There are also chances that users might keep rejecting the push notification or become doubtful about the hacking attempt, so hackers sometimes also use fraudulent email or call tactics to convince users to accept the sign-in request. In this email/call tactic, they pretend to be from the IT team and ask the employee to approve the request.
MFA fatigue is not just confined to non-stop push notifications, any other MFA approach, such as SMS or voice MFAs can also be compromised. In short, any tactic from hackers that can make the user bypass the MFA check intentionally comes under the MFA fatigue attack.
MFA fatigue attacks are on an aggressive rise for the past few years. As per Microsoft, from December 2021 to August 2022, the number of MFA attacks has increased significantly. For example, there were 22,850 Azure AD Identity Protection sessions with multiple failed MFA attempts in December 2021, while the number rose to 40,942 in August 2022.
Hackers have managed to successfully use MFA fatigue attacks to breach the security defenses of high-profile corporate names. Cisco and Uber are two prime cases of MFA scams this year. Let’s quickly look at the attack approach behind both of these high-profile attacks:
It is evident from the above two attack approaches that MFA fatigue is a serious security concern for companies no matter what level of MFA authentication they have set up.
It is acceptable that when you do something continuously, it becomes a habit. So, if users continuously receive a sign-in approval request, then they become habitual in accepting those requests. So, there is a very high chance that they will unintentionally accept the sign-in request right away even if it’s not made by them. So, sometimes hackers just have to do is access the login credentials, send the sign-in request, and instantly get access to the account/system. Therefore, habitual approval clicks are giving more support to hackers to deploy MFA fatigue attacks.
MFA fatigue attacks have the potential to even compromise a highly secure network. However, there are multiple ways to minimize the chances of becoming a victim of MFA fatigue attacks. Some of the main ones are as follows:
In addition to the above tips, your cybersecurity team can find more protective measures depending on your cybersecurity posture and minimize the chances of MFA breaches significantly.
Cybercriminals are working tirelessly to find new tricks to compromise the security of companies. MFA fatigue attacks are an emerging and serious threat, especially for big corporate names that involve thousands of employees. However, if we look closely at MFA fatigue, then the attack is only successful if the victim is unaware of such scams. Therefore, it is a preventable attack, and the above tips can help a lot with it. So, implement preventative measures and protect your company from this emerging and concerning cyberattack.
Properly tracking assets ensures that companies understand their inventory, streamline operations, and reduce costs. Continue…
B2B lead generation solutions and B2B sales tools help businesses target, engage, and convert prospects…
The remote work model has fundamentally changed how businesses approach team training and development. While…
If you're looking for a feature-packed tool with an easy-to-use interface and powerful image enhancement…
The construction industry is undergoing a profound transformation driven by rapid advancements in technology. With…
Trading in the foreign exchange market offers exciting opportunities, but it also demands a significant…