Search This Blog

Powered by Blogger.

Blog Archive

Labels

Users Duped into Enabling Device Access Due to Overload of Push Notifications

A social engineering approach is used to trick people into giving up access to their accounts.

 

Malicious hackers are initiating a new wave of 'MFA fatigue attacks,' in which they bombard victims with 2FA push alerts in an attempt to mislead them into authenticating their login attempts. 

According to GoSecure experts, who have warned that attacks that take advantage of human behaviour to get access to devices are on the upswing. Adversaries employ multi-factor authentication (MFA) fatigue to bombard a user's authentication app with push notifications in the hopes that they will accept and so allow an attacker to obtain access to an account or device. GoSecure described the assault as "simple" in a blog post earlier this week, noting that "it only requires the attacker to manually, or even automatically, send repeated push notifications while trying to log into the victim’s account”. 

Further, it added, “Once the attacker obtains valid credentials, they will perform the push notification spamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account. This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests.” 

The attack is exceptionally effective, according to GoSecure, not because of the technology involved, but because it exploits the human component through social engineering. 

Researchers wrote, “Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification. Others just want to make it disappear and are simply not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat.” 

The approach has been seen in the wild in recent years, including during a 2021 campaign in which Russian operators were seen sending push alerts to Office 365 users. Threat actors were spotted performing repeated authentication attempts in short succession against accounts secured with MFA, according to Mandiant research. 

A blog post reads, “In these cases, the threat actor had a valid username and password combination. Many MFA providers allow users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.” 

The researchers also explained how an Office 365 user might detect numerous push notification attempts and how to protect themselves from such assaults. For example, a user might set the MFA service's default limits to allow a specific number of push notification attempts in a certain amount of time. 

GoSecure explained, “In this scenario, a unique two-digit number is generated and must be confirmed on both sides. This is very hard for an attacker to compromise since the attacker is shown a number that must be guessed in the phone (which the attacker doesn’t have access to)." Finally, a “radical move, but a quick solution” could be to disable the push notifications entirely. 

GoSecure also warned, “As app-based authentication mechanisms are being adopted increasingly as a safer way to authenticate a user (versus SMS or phone call) it is expected that this tendency will grow in the future, even be encouraged by Microsoft itself.”
Share it:

Cyber Attacks

Fake Login

MFA Fatigue Attacks

Notifications

Spam Notification