Social engineering technique confuses victims to access their accounts
Malicious hackers are targeting Office 365 users with a slew of “MFA fatigue attacks,” bombarding victims with 2FA push notifications to trick them into authenticating their login attempts.
That’s according to GoSecure researchers, who have warned that there is a rise in attacks that exploit human behavior to gain access to devices.
Multi-Factor Authentication (MFA) fatigue is the name given to a technique used by adversaries to flood a user’s authentication application with push notifications in the hope that it will accept and therefore allow an attacker to access an account or a device.
Learn about the latest news on hacking techniques
In a blog post earlier this week, GoSecure described the attack as “simple”, given that “it only requires the attacker to manually or even automatically send repeated push notifications while trying to log into the account. of the victim”.
This requires the attacker to have the victim’s credentials, which “could be obtained through brute force, password reuse, or sputtering.”
“Once the attacker obtains valid credentials, they will spam the push notification repeatedly until the user approves the login attempt and allows the attacker access to the account.
“This usually happens because the user is distracted or overwhelmed with notifications and in some cases it can be misinterpreted as a bug or confused with other legitimate authentication requests.”
“Make It Disappear”
GoSecure noted that the attack is particularly effective – not because of the technology involved, but because it targets the human factor via social engineering.
“Many MFA users are unfamiliar with this type of attack and would not understand that they are approving a fraudulent notification,” the researchers wrote.
“Others just want it to go away and are just not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat. . »
DO NOT MISS Dependency confusion tops PortSwigger’s annual web hacking list for 2021
The technique has been spotted in the wild in recent years, including during a 2021 campaign when Russian agents were seen targeting Office 365 users via push notifications.
Mandiant’s research detailed how threat actors were observed executing multiple authentication attempts in short succession on accounts secured with MFA.
“In these cases, the threat actor had a valid username and password combination,” reads one blog post.
“Many MFA providers allow users to accept a phone app push notification or receive a phone call and press a key as a second factor.
“The threat actor took advantage of this and sent multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to access eventually to the account.”
GoSecure published a proof of concept that demonstrates how the attack works in real time:
The researchers also detailed how an Office 365 user can detect multiple push notification attempts and advised on how to mitigate attacks of this nature.
For example, a user can configure the MFA service’s default limits to allow a maximum number of push notification attempts within a certain time frame.
They could also help prevent inadvertent access to their account by using the phone login verification method.
GoSecure explains, “In this scenario, a unique two-digit number is generated that needs to be confirmed on both sides.
“It is very difficult for an attacker to compromise because he is shown a number that has to be guessed in the phone (which the attacker does not have access to).”
Finally, a “radical move, but a quick fix” might be to disable push notifications altogether.
GoSecure warned: “As app-based authentication mechanisms are increasingly adopted as a more secure way to authenticate a user (compared to SMS or phone calls), it is expected that this trend is growing in the future, even encouraged by Microsoft itself”.
YOU CAN LIKE Google Project Zero hails dramatic acceleration in security bug fixes