Prompt bombing – A simple attack with destructive consequences

written by Anthony Arrington 4/8/2022

Recently there have been a few headlines covering attacks referred to as “Prompt bombing”. Even though prompt bombing has filled a few headlines, it doesn’t mean MFA users and security teams are aware of the Indicators of Compromise (IoC) associated with this attack. This article is an overview of how the attack works and what can be done to protect yourself from malicious threats. But first, we need to understand what Prompt Bombing and MFA are and how they relate.

What is Prompt Bombing?

Prompt bombing is an attack that has been around for a while and is low-complexity. The goal of prompt bombing is to gain access to an account or service that leverages MFA by sending as many MFA approval requests as possible to a user at an inopportune time in hopes that the user is distracted enough or irritated enough, they will unknowingly give the attacker access. An attacker might spam a user with requests in the early morning in hopes that the user will authorize the request allowing the user to go back to sleep without being interrupted by MFA requests at 2am. With a traditional numerical code that needs to be copied, a user cannot do anything about the request they are receiving aside from take note and report it later. With push notifications, the user can hit no/deny/reject, but when the requests come 20 more times in the middle of the night, the temptation to accept in hopes that it stops increases. The ease and convenience of push notifications now potentially become the attacker’s foothold into your companies’ network.

MFA & Push Notifications

Multifactor Authentication (MFA) is a security technology that allows software to verify the integrity of a login request using a device that the user chooses. Common devices include mobile devices and hardware tokens. Most users will leverage email, SMS, an authenticator app, or software token on a mobile device to become MFA compliant. There are even different methods of approving those requests with the most common being a numeric code sent to the users specified delivery method. Another frequently used method on a mobile device is known as a push notification. Push notifications are notifications sent to the user by an external server. Let’s talk about how MFA push notifications provide an effective attack surface for attackers.

Push notifications are important to prompt bombing because it is the MFA delivery method leveraged in this type of attack. Normally a user would receive a code via SMS or login to an authenticator app and copy the code to the authentication portal/website, which is the traditional 2FA process. With the emergence of new MFA techniques, some MFA providers are now leveraging push notifications that allow users to simply “accept” or “deny” the login request on the users mobile device removing the need to copy over a string of numbers or even open a separate app. This is very convenient,  especially when a user needs to authenticate to something like an email account regularly. At the end of the day, it’s easier for the end user who is now more likely to adopt the practice. This is where the risk lies as discussed earlier. Convenience can lead to complacency, especially at 2am.

So How Do We Prevent This?

While the answer is simple, don’t approve the request, you should do more than simply reject the request. If an attacker is able to prompt for an MFA request, then MFA typically occurs after inputting login credentials. If a user receives a unsolicited MFA request, that’s a huge red flag. Report this to your system administrator and immediately reset your password. If you are the administrator, now is the time to force password resets and start checking logs if you haven’t already been alerted to anything suspicious. While the attack and remediation guidance are simple. It’s important to bring awareness to these simple attacks. While simple in concept, the effects can be devastating and long-lasting if not addressed properly in a timely fashion.