Skip to content

Push-Bomb attacks are like MFA spam. What do you do?

a prevalent type of cloud account takeover attempt

Barrett Dilger

May 8, 2023

No Comments

Overload of MFA messages

The popularity of cloud computing has grown tremendously. 60% of the world’s corporate data is processed in the cloud, and 90% of large enterprises utilize multi-cloud solutions. Even if your business works in the office with a physical server, chances are that at least some of the software utilized is still cloud-based in nature, such as Microsoft 365.

The brilliance of the cloud is you can access it anywhere as long as you have an internet connection. The drawback is that criminals can access it too. Obviously, they would need login credentials to do so, but that is why they’ve gotten so good at stealing those. That’s called an Account Takeover.

Account Takeovers have grown triple digits in the last few years, and continue to grow exponentially every year. It’s a massive problem and that is why you constantly hear about data breaches all the time.

Those breaches you hear about are large companies, which is why they make the news. Attacks happen on all levels, and smaller companies are targeted just as much, if not more than the big names. Why? Because they have less security in place to catch them.

One of the easiest and most effective ways to reduce your chance of a breach is by implementing Multi-Factor Authentication (MFA). If you haven’t done so already, do it now. Here’s the thing, nothing is bulletproof.

There are ways around MFA, and one of the tactics that is becoming more prevalent is known as Push-Bombing.

What is Push-Bombing?

When somebody logs into an account with MFA enabled, one of the major ways they are authorized is by sending an additional request to be confirmed. This request might come in an email, a text message, an app notification, or a device popup. This “pushed” notification is a normal part of the process of logging in today. Most people are very familiar with this.

A push-bomb attack is sending multiple of those push notifications repeatedly. It’s like spam, but harder to ignore and more confusing.

Typically, these attacks begin with a criminal already having a user’s credentials. This can be gained from prior breaches of other companies.

Even if the criminal has the username and password, MFA prevents them from logging in. You’re safe.

That’s why the criminal attempts to log in multiple times, which prompts multiple push notifications. One after the other the notifications roll in. It creates a confusing scenario, impossible to ignore, and in the middle of their legitimate work and log in prompts.

The goal is to get the user to be confused, worn down, and trick them into approving one of the criminal MFA requests. Once that is done, the criminal has full access and can do whatever they want.

How do you protect against push-bombing?

As with a lot of cybersecurity issues, it starts with education. Over 90% of breaches happen because of a user, so instead of thinking of your employees as the weakest link you should think of them as your front line. Train them to handle the attacks they will come across in the day-to-day trenches.

Let your team know what push-bombing is and how it works. Instruct them what to do if they receive any MFA notifications they didn’t expect – let alone in multitudes.

Create and enforce a password policy. Remember, most of the attacks start with a criminal knowing credentials from a prior breach. Any time a company is breached should prompt you to have your team change their passwords. It is also the reason you should use different passwords for every account. Make that a rule and stick to it.

Hot tip. If you use a password manager, you can manage your entire team’s passwords (which is nice when people get offboarded or are on vacation). It also generates complex passwords easily, stores them, and fills them for you so you never have to remember them – just one password to access them.

Next, you should reduce your app sprawl. The average number of accounts people have and access daily is staggering. It’s in the mid-30s. That means every employee needs to have that many logins. The more apps and logins in use, the more likely a password gets stolen.

Trim the fat. Reduce what applications you use if you can. Consolidate into suites of products if possible to reduce logins. See if you can implement Single Sign On (SSO) with any of them, so your team can access many applications with just one set of credentials.

A side benefit of streamlining this process is that your team will become more productive. More secure AND a boost to your productivity? Seems like an easy choice.

Lastly, implement conditional access policies. You can control logins based on conditions, such as being in the office. If you have a remote team you can restrict access in other ways, such as by device (company computer) or IP address (employee’s home network). You can also block certain access, such as international countries (assuming your team doesn’t go overseas). This is an entire topic in itself, but this tip of the iceberg should get you to understand its power.

Do you need any help with these policies? We have educational training and are pros at setting up robust and secure solutions for our clients. If you have questions feel free to reach out for a consultation.