MFA Fatigue: One Of The Newest Attacks In Use

by | Nov 8, 2022

This article is related to Cybersecurity Awareness Month, to encourage users and those interested in this path to the practical and unexpected in technology, and thus keep abreast of the best ways to protect your data and give yourself a chance on the path of Cybersecurity.

Now let’s go a little deeper into the subject of this article: MFA Fatigue, known to be one of the newest attacks currently in use by many hackers.

Here is a short example: When we are logging into an email application, such as Gmail, Outlook, among others, we receive alerts to verify that we are the legitimate users and we do have access to our resources, but from time to time we must do the same on our smartphones, tablets, laptops, desktops… It can be a bit exhausting, can’t it? Well, this happens with MFA fatigue, only with an even more malicious objective. Thanks to this technique, many solo hackers and hacker groups have been able to access the information of many users, mainly employees, in order to obtain essential information. Of course, this is not possible without the hackers having first obtained the credentials of the user from whom they wish to extract this valuable information.

To get a clearer idea about how hackers can use this technique of MFA fatigue. let’s see how it is commonly developed, so…. Hey, listen! Don’t get distracted!

  1. Obtain the credentials (username and password) of the user depending on the service from which the MFA notifications are being leveraged (Various tools from the hacking world are used for this, as well as social engineering practices).
  2. With the credentials in hand, the hacker could say that he has made significant progress, obtaining the keys to access the information he wants, but this is held back by the MFA of the application with the user’s data… And here comes the reason for the name of the technique described in this article:
  3. The hacker can make use of two main methods:
    • Sending notifications repeatedly to the user’s cell phone or computer to allow access to the account, under the name of the company of the application or program, causing the user a sense of fatigue that can make him believe that there is a tiny error in the authentication, and either for the first or the second reason, accept the request and…. There you go, there is an insider with privileges in the room. 
    • The second is like the previous one but is more involved in the work environment. The attacker can impersonate an employee of the company and send requests to get access. If the IT department from that company does not have enough information to fully verify the identity of this “employee”, they may end up accepting the validation required to access that employee’s account and Volia! The attacker gained access to the door of the final Boss without the Master Key 

This is how an attacker can get our information if we deliberately protect it, without the proper care in the devices we use. Cyberwarrior wants to encourage, through this, the user’s need to be aware of attacks of this type, which are growing in number as the months go by. The online cab service company Uber in September and then the well-known international company Cisco in October, were flanks of attack subjected with this technique, so it is necessary to know our virtual environment, either in our online social life or at work, if we want to protect our data.  

Are you interested in learning cybersecurity?