Bypassing Multi-Factor Authentication via Prompt Bombing

It is the middle of the night, and you have finally fallen asleep, only to be awakened by the constant beeping of your phone. Bleary-eyed, you look at your phone to see it is prompting you to agree to log in on one of your accounts. You half wonder if you are dreaming and may instinctually hit “OK” on your phone so you can go back to dreamland. However, unbeknownst to you, you have become the next victim of prompt bombing to surrender to the tactic that could result in a potential security breach.

Although prompt bombing has been around for several years, cybercriminals are employing multi-factor authentication (MFA) prompt bombing to breach corporate systems. Although MFA is one of the strongest cybersecurity defenses, threat actors employ the technique to barrage accounts with multiple MFA requests until users accept the authentication. In fact, a notorious data extortion gang, LAPSUS$, claims prompt bombing is what they deployed to gain access to the laptop of a Microsoft employee recently. This latest development serves as an important reminder that MFA requests pushed to a user’s device should never be approved unless the mobile device user initiates it. Stolen credentials available on the dark web and elsewhere can be used to log into accounts and generate the MFA requests to the unwary workforce.

A Form of Social Engineering

Foundationally, prompt bombing is a form of social engineering. Although the term social engineering tends to connotate attackers using fear or some form of enticement to get someone to click a link or run a file, other emotional states can be helpful in circumventing our better judgment, and there are other results of a distracted click that criminals can abuse.

As we know and see more each day, cybercriminals certainly do not lack creativity to achieve their nefarious actions. Prompt bombing is quite annoying and can easily lead to distraction or frustration. The most obvious way to accomplish an effective level of annoyance would be for someone to send a ridiculous quantity of notifications that must be “clicked away” to let the user continue with whatever they were initially doing (like sleeping). Another method of annoyance and irritation could be making the screen reveal something disturbing or humiliating. Techniques used in prompt bombing typically include:

• Calling the target pretending to be part of the user’s organization and telling the victim they need to send an MFA request as part of a company process
• Sending several MFA requests and hoping the target finally accepts one to make the noise stop
• Sending one or two prompts per day. Although this method often attracts less attention, there is still a good chance the target will accept the MFA request

Whatever the method of annoyance, the objective is for the victim of the attack to click away notifications that would allow attackers to gain access to accounts or execute malicious code.

Is MFA Enough?

MFA is a fundamental defense that is among the most efficient at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures users also use an additional factor. Additional factors include one-time passwords sent through SMS, generated by mobile apps like Google Authenticator, or push prompts sent to a mobile device before accessing an account. However, some forms of MFA are stronger than others, and recent events show that these weaker forms are not much of an obstacle for certain hackers. Recently, various data extortion gangs and other threat actors have successfully defeated the protection. The threat actor takes advantage by issuing multiple MFA requests to the end user’s legitimate device until the user accepts the authentication, allowing the threat actor to gain access to the account eventually.

The strongest methods of MFA are based on a framework called FIDO2. FIDO2 was developed by the Fast Identity Online (FIDO) Alliance. The idea behind FIDO2 is that it allows authentication to become passwordless via a new web application programming interface (API) called Web Authentication (WebAuthn). The WebAuthn API enables web applications to use public-key encryption and authenticators directly.

FIDO2 allows users to use fingerprint readers or cameras built into devices or dedicated security keys to confirm they are authorized to access an account. However, that does not mean organizations that use FIDO2-compliant MFA will not be susceptible to prompt bombing. It is expected that a certain proportion of users registered for these forms of MFA will lose their key, drop their iPhone in the water, or break the fingerprint reader on their laptop. To that end, organizations must have contingencies to deal with these unavoidable events. Many organizations will tend to fall back to more vulnerable forms of MFA if an employee loses the key or device required to send the additional factor. The cybercriminal can also try to mislead an IT administrator into resetting the MFA and enrolling a new device in other cases. FIDO2 forms of MFA are relatively new, so many services for both consumers and large companies have yet to adopt them. However, companies such as Microsoft, Google, and Apple already support FIDO2 security keys. Although this form of secure log-in is still in its infancy, passwordless authentication is bound to catch the attention of numerous organizations seeking to mature their security controls for users accessing corporate data and systems.

In Summary

Any form of MFA is better than no use of MFA. If SMS-delivered one-time passwords are the only method available, it is still better than not having MFA implemented. Many of the industry best practices and regulations are starting to require MFA for access to all systems. As with any form of security, the bad actors are constantly working to determine how to circumvent controls. If your organization can slow the attacks down, you may have time to thwart the attempt completely. Of course, it is understood that end-user training is paramount. We all go through the yearly security awareness training, but that is not enough. End users should receive periodic reminders regarding the latest threats. Do not let that late-night prompt bomb be the reason your organization incurs a data breach!