In today’s digital environment, traditional password-only authentication systems have proven vulnerable to a variety of cyberattacks. To protect critical business resources, organizations are increasingly adopting multi-factor authentication (MFA) as a stronger security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an extra layer of protection against unauthorized access.
However, cybercriminals continue to find ways to bypass MFA systems. One method that has gained traction is MFA spam attacks, also known as MFA fatigue or MFA bombing. This article takes an in-depth look at MFA spam attacks, including best practices for mitigating this growing threat.
What is MFA spam?
MFA spam is the malicious practice of flooding a target user’s email, phone, or other registered device with numerous MFA prompts or confirmation codes. The purpose behind this tactic is to inundate users with notifications in the hope that they will inadvertently approve unauthorized logins. To perform this attack, the hacker needs the target victim’s account credentials (username and password) to initiate the login process and trigger the MFA notification.
MFA spam attack technology
There are several methods used to perform MFA spam attacks, including:
- Leverage automated tools or scripts to send a large number of verification requests to the target victim’s device.
- Use social engineering tactics to trick target users into accepting verification requests.
- Use the API of the MFA system to send a large number of false authentication requests to target users.
By using these techniques, attackers aim to exploit any unintended approvals and ultimately gain unauthorized access to sensitive information or accounts.
MFA spam attack example
Hackers are increasingly using MFA spam attacks to bypass MFA systems. Here are two noteworthy cyberattacks performed using this technique:
- Between March and May 2021, hackers bypassed SMS multi-factor authentication at Coinbase, considered one of the largest cryptocurrency exchanges in the world, and stole cryptocurrency from more than 6,000 customers
- In 2022, hackers sent a large number of notifications to Crypto.com customers withdrawing funds from their wallets.Many customers unintentionally approved fraudulent transaction requests, resulting in the loss of 4,836.26 ETH, 443.93 BTC, and approximately $66,200 in other cryptocurrencies
How to mitigate MFA spam attacks
Mitigating MFA spam attacks requires implementing technical controls and enforcing relevant MFA security policies. Here are some effective strategies to prevent such attacks.
Enforce strong password principles and block breaching passwords
In order for an MFA spam attack to be successful, the attacker must first obtain the target user’s login credentials. Hackers use a variety of methods to obtain these credentials, including brute force attacks, phishing emails, credential stuffing, and purchasing stolen/leaked credentials from the dark web.
The first line of defense against MFA spam is to protect users’ passwords. Specops Password Policy with Leaked Password Protection helps prevent users from exploiting leaked credentials, thereby reducing the risk of attackers gaining unauthorized access to their accounts.
end user training
Your organization’s end-user training program should emphasize the importance of carefully validating MFA sign-in requests before approving them. If a user encounters a high volume of MFA requests, it should raise suspicion and serve as a potential clue to a targeted network attack. In this case, it is crucial to educate users to take immediate action, which includes resetting their account credentials as a precaution and notifying the security team. By leveraging self-service password reset solutions like Specops uReset, end users can quickly change their passwords, effectively minimizing the chance of MFA spam attacks.
rate limit
Organizations should implement a rate limiting mechanism that limits the number of authentication requests allowed by a single user account within a specific time frame. By doing this, automated scripts or bots cannot overwhelm users with too many requests.
Monitoring and alerting
Implement a robust monitoring system to detect and alert on unusual patterns of MFA requests. This can help instantly identify potential spam attacks and allow immediate action.
focus
To effectively prevent MFA spam, organizations must prioritize strong security practices. An effective strategy is to strengthen password policies and prevent the use of leaked passwords. Implementing solutions like Specops Password Policy’s leaked password protection feature can help organizations achieve this goal.
Try it for free here to learn how to enhance password security and protect your organization from MFA spam attacks.
