Published: March 04, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
Earlier this year, Reddit reported being the victim of a data breach utilizing a credential-theft technique that’s on the rise. They found “bombing fatigue” exploited an MFA (multi-factor authentication) weakness after a relentless, socially engineered email phishing campaign targeted employees. The fatigue it created for one staffer led to the successful attack. Here’s the scoop, in a nutshell, so you know what to look out for, not only when using Reddit, but any time you log in to a website.
Bombing for MFA
Many companies use 2FA (two-factor authentication), a type of MFA sending a one-time code for the employee to enter during login, sent by email or text. To no one’s surprise, cybercriminals are finding ways to exploit it, in Reddit’s case, by using MFA bombing, a type of fatigue attack.
The Reddit employee opened one of the emails and acted on it, hoping it would stop further bombing. Clicking a link in the text brought the staffer to a phishing web page set up by the attacker to steal login credentials and the MFA token. Once done, the hacker was able to enter Reddit’s systems.
Last year, Uber experienced a similar bombing incident at the hands of those linked to the notorious Lapsus$ hacking group. The criminal organization has adapted tools into their attacks known to circumvent MFA, this time involving a third-party Uber contractor. Ongoing login attempts prompted continued requests for MFA approval. Again, bombing a user with requests until fatigue led them to comply, resulted in the successful attack.
It Only Takes One
With increased use of identity verification tools like MFA, it’s no surprise there’s an increase in those wanting to exploit it. Hackers know continued bombing elicits the human responses of fatigue, annoyance, and impatience, for starters.
Since employees continue to be on the front line of defense against attacks, it’s important they know what bombing fatigue looks like. It’s also important they see it as the start of a potential cyberattack. Fatigue and impatience should never be the reason an attack goes forward, but hackers know they need only one employee to give in to temptation. So, be aware and have patience.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org