Cybersecurity

Push notification attacks are up (but so is MFA adoption)

The good news about recent MFA attacks? People are using MFA.
article cover

Aleksandr Zubkov/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Malicious hackers have been so pushy lately.

Recent reports from Cisco and its acquired unit Duo Security revealed an exhausting amount of push-based attacks, tactics that aim to tire out a targeted user with relentless prompts for access approval.

There’s a silver-ish lining hidden somewhere in the 15,000 prompt-bombing attempts that Cisco spotted between 2023 and 2024: There are a lot of multi- factor authentication (MFA) attack attempts, which means many orgs are implementing MFA.

“It’s more of a statement about how well organizations are deploying MFA because now adversaries realize they have to attack MFA,” said Nick Biasini, head of outreach at Cisco Talos, the company’s research unit, also noting that push notifications and various multi-factor bypasses have become top security concerns.

  • According to Cisco’s first-quarter observations, published April 25, “nearly half” of the company’s Q1 engagements involved MFA weaknesses.
  • A top weakness: users accept unauthorized push notifications within 25% of engagements.
  • Between June 2023 and May 2024, Cisco Duo’s AI and Security Research team found 15,000 push-based attacks in its data sets, according to Cisco’s June 18 report.

How a push-based attack works. An attacker gains a user’s credentials and attempts logins, hoping that the targeted person just selects some version of “Approve” when prompted with a smartphone notification.

Microsoft, according to its Digital Defense Report, saw approximately “6,000 MFA fatigue attempts per day” between June 2022 and July 2023. Cisco’s June report found that a majority who accepted fraudulent pushes were sent between one and five requests, many times timed with workday hours, “while a very small number were ‘bombarded’ with 20-50 requests.”

Yet a multitude of organizations deploy multi-factor. A report from Duo Security, released in February 2024, revealed that Duo-specific MFA authentications rose by 41% in the past year. An October 2023 Workforce Authentication Report, published by the FIDO Alliance and LastPass found that 43% of the 1,005 global IT decision makers use MFA.

IT Brew reported other MFA bypasses in April 2024, including SIM swaps and session-cookie theft. Cisco also noted how social-engineering attempts have successfully led malicious hackers around MFA and recommended a set of supplemental security practices, including number-matching prompts and employee education of bypass possibilities.

Jeff Johnson, director of IT security at DigiKey, has guided company efforts to add multi-factor authentication to internal systems and any behavior requiring high privileges.

For crafty social engineering attempts that involve tactics like tricking the help desk, Johnson recommends additional multi-factor prompts, like an emailed code, even when someone over the phone insists that they need an authentication reset. That way, according to the IT director, an attacker has to compromise a target on multiple fronts.

“Hopefully they go find someone easier,” Johnson said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.