Press "Enter" to skip to content

MFA Fatigue and its role in Uber’s breach

Let’s report on another new tactic on the security front — MFA Fatigue.     What’s this?   Wear down your target by continually asking for MFA authentication until the user grants it.    From Bleeping Computer:

An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials repeatedly, causing an endless stream of MFA to push requests to be sent to the account’s owner’s mobile device.

The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts.

While we’re at it, it seems to target the smartphone was part of that Uber hack — targeting the phone as an entry point into the network.    Text an Uber employee, claim to be IT and reveal a password.    That from the hacking group to the New York Times — although Uber’s version says it was a corporate password purchased on the dark web after a contractor’s device was infected by malware…. And that contractor was hit with multiple MFA requests, thus, MFA Fatigue. 

Why do we care?

One can easily see how this works.    Wear down the user until they finally say yes.    Annoy them to submission.     I’m hopeful the coming shift to passkeys may help — may.   

I highlight this from an awareness perspective.   Roll this detail into your education.     Users can report this kind of overwhelming asks rather than be worn down by it. 

Be First to Comment

Leave a Reply