Fatigued looking woman in front of a computer

Welcome to high tech hacking in 2022: Annoying users until they say “yes”

Last week we learned that ride-sharing giant Uber’s defences had been unpicked by an attacker with a novel take on social engineering: Fatigue.

Fatigue attacks play on the often repetitive nature of certain security procedures and failsafes. Do you hate having to punch in a password on your login screen every time you open your laptop? Are you sick of firing up the password manager, or grabbing your phone to confirm a login, or to grab an MFA code?

If so, you may be vulnerable to the relentless chase of a fatigue attack. Said attack is currently making waves in the news, and is being cited as a “favourite attack” in high profile breaches. You may not have heard of fatigue attacks before, but they’ve been taking place for some time now. Shall we take a look?

The relentless drive of MFA fatigue

“MFA fatigue”, sometimes referred to as “MFA push spam”, aims to overcome a form of multi-factor authentication people use to keep their accounts safe. MFA asks users to perform an extra task when they log in, such typing in a one-time code from an app or responding to a push notification, as well as typing their username and password.

MFA is extremely effective at blunting all kinds of attacks, and criminals are adapting their tactics in response. Some phishing sites now capture MFA codes alongside usernames and passwords, and then use them immediately, before the MFA code expires. That doesn’t work against MFA that relies on push notifications though, but a bit of good old fashioned annoyance seemingly does.

The theory goes that if an attacker uses your username and password, and you get a push notification asking to approve the login attempt out of the blue, you’ll realise it wasn’t you logging in and deny the request. But what if you get ten requests, one after the other? Or 100 requests?

That’s right, the latest in anti-MFA tactics doesn’t rely on any sophisticated phishing pages or asking for files; just a relentless wave of authentication requests sent to potential victims.

The technique is reliant on the attacker already possessing login details. (Perhaps they were obtained from a data dump, or a hacking forum, or a straightforward phishing email.) Once the attacker has the details to hand, the second part of the plan unfolds. The attacker attempts to log in, repeatedly, and the victim is sent a relentless barrage of “Approve sign-in”, “Is this you?”, “Login action required” messages to their mobile device. If the prospect of dozens of push notifications asking you to confirm a login attempt sounds like no fun at all, something you’d rapidly grow tired of and want to make go away, that’s exactly what the attacker is banking on.

The game plan here is that the recipient hits the “Yes, it is me” button to make the messages stop. Maybe the victim will think the MFA system has glitched out, and this is the only way to “fix” it. In the Uber break in, the attacker removed any doubt in the victim’s mind by contacting them on WhatsApp, pretending to be from the IT team, and confirming that the only way to stop the notifications was to approve one.

Bad move: The scammer, logging in as the victim, perhaps hundreds or thousands of miles away, was given the green light to login.

It isn’t just Uber that’s fallen for this either. MFA fatigue has also been used in attacks against organisations like Microsoft and Cisco. If it can happen to heavy hitters, it can happen to anyone and organisations should draw up appropriate counter-strategies.

Avoiding burn out from rogue push notifications

There’s a lot of advice out there in relation to MFA fatigue attacks, but we’ve listed some of the best tips below:

  • The gold standard for MFA is a FIDO2 device, like a hardware key. It is resistant to phishing and push notification spam.
  • If you use push notifications, turn on number matching if it’s available. This ensures that a user is actually using the login screen when they approve a login request.
  • Use rate limiting to limit and lock out authentication if too many push requests come through. Attackers are likely to generate many more push requests than real users.
  • If you keep receiving push notifications it’s likely someone has your username and password. Inform your IT or security team and change your password.

MFA adoption levels have been traditionally rather low, and that’s despite organisations like Google trying everything to get people on board with additional security measures. The last thing we need right now is security fatigue giving people a reason not to adopt it.

Stay safe out there!

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.