Podcasts
Word Notes
Ep 117
Word Notes 9.20.22
Ep 117 | 9.20.22

MFA prompt bombing (noun)

Show Notes
Transcript

Rick Howard: The word is: MFA prompt bombing.

Rick Howard: Spelled: M for multi, F for factor, A for authentication, prompt as in a multifactor authentication notification and bombing. As in sending repeated MFA prompts to a user's device. 

Rick Howard: Hackers bypass, multifactor authentication schemes by sending a blizzard of spamming login attempts until the accounts owner accepts the MFA prompt out of desperation to make the spamming stop. 

Rick Howard: Example sentence: In the middle of the night, the victim, after receiving hundreds of MFA prompts on his phone, validated access to his account and went back to bed. 

Rick Howard: Origin and context: This hacking technique takes advantage of the fact that we all hate to be annoyed and inconvenienced.

Rick Howard: After an attacker steals a victim's username and password, they repeatedly attempt to log in as the victim, which sends a multifactor authentication request to the victim's second factor, usually his mobile device. Users who aren't paying attention, get frustrated with the volume of authentication requests and just to make it go away, they approve it.

Rick Howard: They might assume it's just an error or maybe an IT employee at their company, trying to log into their account. Regardless, they can't be bothered and accept the request. Dan Gooding at Ars Technica quotes, a member of the Lapsus$ cybercrime group as saying, quote "No limit is placed on the amount of calls that can be made. Call the employee 100 times at 1:00 AM while he's trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device" end quote. Nation-state actors have also been observed using this technique. Researchers at Mandiant note that the Russian threat actor, APT29 also known as Cozy Bear has successfully used MFA prompt bombing in its own campaigns. 

Rick Howard: Nerd reference: The 1992 movie Sneakers, one of the all time great hacker movies has the perfect scene that demonstrates real life MFA prompt bombing. By the way, the movie was written by the guys who wrote another all time great hacker movie, War Games. Lawrence Lasker And Walter Parkes 

Rick Howard: In this scene, Robert Redford probably best known to this audience for Avengers Endgame and Captain America Winter Soldier and River Phoenix probably best known for Indiana Jones and the Last Crusade he played, the young Indiana Jones, are trying to get past a security guard and an electronic lock, two factors. The scene opens with River Phoenix dressed as a delivery man, standing in front of the security guard with a stack of drano boxes claiming that he has a work order to deliver them to the top floor. The security guard doesn't have him on the access list and is having none of it. The two get into a heated argument. That's when Redford walks up to the counter with some lean story about his wife, delivering the birthday cake and the balloons.

Hotel Clerk: Listen, I'm sorry, they didn't have anything on record. 

Carl Arbogast: Hold on a second. I got the invoice. 

Robert Redford: Did my wife drop the cake off for me? I want cake. There's no cake back there for me. There's a party from Marge on the second floor. She was supposed to drop a cake off. 

Hotel Clerk: I uh. Don't.. 

Robert Redford: Uh, there she is late as usual. 

Carl Arbogast: Okay. Well, it states where I here very clearly that I am to deliver 36 boxes of liquid drano to this here address. 

Hotel Clerk: I don't care what that says. You're not on the list you can't get in. I do have a problem with you, you can't get in.

Carl Arbogast: I might lose my job. 

Hotel Clerk: That's not, my problem, m'kay? Now beat it, alright? 

Rick Howard: That's when Redford walks past the guard, up to the electronic door, that's locked, carrying a bundle of helium balloons and a birthday cake box and starts yelling at the guard to let 'em in. 

Multiple speakers: Incoherent yelling. 

Robert Redford: We're late for the party on the second floor.

Hotel Clerk: Excuse me. 

Robert Redford: Push the God damn buzzer, will ya?

Rick Howard: And that's MFA prompt bombing in the real world.

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform. KnowBe4 helps organizations address the human element of security by raising awareness of social engineering tactics through a new-school approach to security awareness training. Learn more at KnowBe4.