MFA Prompt Bombing

MFA

12 July 2022

MFA seemingly simple but effective cyber-attack technique is on the rise- MFA prompt bombing. This article will inform you on what it is so that we you identify it and know what to do.

MFA Prompt Bombing

If you have completed the LSE Cyber Security Awareness course on Moodle (gentle reminder to do so if you have not!) then you may remember learning that Multi-factor Authentication (MFA) is not a fool-proof silver bullet, and attackers can still compromise accounts even when it is implemented.

One such way is through MFA prompt bombing. MFA prompt bombing is an attack vector which exploits human error. These kinds of attacks highlight that, technological solutions like MFA are not enough on their own - they must be combined with vigilance from ourselves as end users.  

What is it and how does it work?

MFA prompt bombing Is a method of gaining access to accounts, relying on human error to trick a user into accepting a malicious MFA authentication request. One approach is to spam users with continuous requests in the hopes that they will accept one to stop the constant pop-ups.

Another way of doing so is by spreading the requests out and sending them at random intervals so that the attempts are less obvious, with the hope that the user may accept one when not paying attention. In some cases, attackers may even call users, pretending to be from LSE and saying that the MFA prompts have been generated by the university itself. All these methods can be applied late at night or on weekends with the hopes that users prefer not to be contacted and therefore might be less vigilant, or frustrated and keen to stop any interruptions to their out-of-work activities.

So, how can we avoid falling victim to this?

As with other social engineering techniques, the best way to avoid falling victim to MFA prompt bombing is to be alert and aware. Only accept MFA requests that you are certain come from your own login attempts. If you are unsure, reach out to DTS at phishing@lse.ac.uk and we can provide guidance. As with cyber safety in general, we should always remain vigilant to keep LSE secure.