As we discussed last month, while MFA is a great layer of protection it is not full-proof, something which UBER discovered recently much to it’s dismay.
As ever in fraud and ‘cons’, sometimes the simplest methods are the most effective. While there has been a rise in advanced Phishing as a Service (PhaaS) offerings that aim to capture session IDs via a (“man-in-the-middle” attack), a technique being used to great effect by criminals is a blunt tool called “MFA Fatigue”.
Simply put, attackers get a set of valid credentials, either stealing them, buying them or via a standard phishing technique. Once they have them, they repeatedly make requests to approve a login, over-and-over until the user simply ‘gives in’ and approves one just to shut their device up (presumably assuming either something has gone wrong or they just don’t care).
“But wait!” – I hear you say – “Surely simply blocking multiple failed login attempts would solve this?”
Unfortunately this is where having a botnet at your disposal comes in handy – failed login blockers typically block requests from a specific IP address (otherwise attackers could block you from your own account deliberately by firing failed requests). Criminals can send requests from multiple locations to avoid blocking/locking the account..
In the case of UBER, it seems there were multiple failures in process. A former contractor to the company still had an active user account on their systems and an active MFA setup for it. When attackers began spamming his device with MFA approval requests, the contractor eventually capitulated and approved one of the requests, providing the attackers with the foothold they needed.
As this point, the attackers moved laterally through the network and elevated their privileges.