MFA prompt bombing is the concept of a low-complexity cyber-attack where the lone goal is to gain access to a system or application that is protected by MFA. The attackers will rely on human error to trick a user into accepting a multi-factor authentication (MFA) request.
The most important factor of MFA prompt bombing for attackers is push-based authentication due to the simplicity that a user is one click away from approving an authentication request.
In a typical MFA prompt bombing attack, cybercriminals will send many MFA approval requests to a user over a short period hoping that the user will be annoyed by the numerous amounts of MFA requests and will give in and accept the authentication request and provide the attacker access.
No matter the annoyance created by MFA prompt bombing, a successful attack will provide the attacker access to accounts or the opportunity to run malicious code on a target system.
In most MFA prompt bombing attacks, the attacker will obtain the credential of their targeted user from common methods such as brute force attacks, getting them online or other common methods to compromise the credentials. Once the attacker has the compromised credentials, they will use one of the following to initiate an MFA prompt bombing attack.
Despite MFA prompt bombing being around for several years, attackers are only now deploying these methods of attacks at a more frequent pace. A recent example of a successful MFA prompt bombing was the Uber breach. The prompt bombing attack on Uber utilized MFA push notifications through a Duo authenticator app and issued multiple push notifications until the request was accepted.
While attackers will continue to deploy MFA prompt bombing techniques, organizations will struggle to fight off MFA prompt attacks as it bypasses standard MFA protection. This creates a major security gap for most organizations due to limited visibility into user activity and authentication requests they receive with standard MFA solutions.
To learn more about how Silverfort helps organizations fight off MFA Prompt attacks, click here