Cloud account takeover is one of the growing major threats to organizations of all types. Just think about how much of your company’s workload requires logging into apps with a username and password. Employees end up having to log into many different systems or cloud apps, which opens the door to ‘push-phishing’ or even worse, ‘push-bombing.’
Cybercriminals desperately want to get their hands on those login credentials and employ a number of methods to get them. Gaining access to business data as a user is a very productive inroad for these criminals, allowing them to launch sophisticated attacks and send insider phishing emails.
This problem is bad and getting worse. Between 2019 and 2021, account takeover (ATO) rose by 307%. That was a severe high-water mark, and one might think that it was just a blip, but according to SpyCloud, ATO attacks rose by a further 354% in the last year. These types of figures occur when any new method of cyber-attack is put into practice, but this form of attack is old and still picking up speed. Statistics like these are what keeps your IT Support people up at night.
Let’s take it for granted that you already have strong, state-of-the-art Cybersecurity measures in place (although most businesses do NOT). What do you need to do beyond that? MFA (Multi-Factor Authentication is a solid first step.
What does multi-factor authentication prevent?
For starters, its main purpose is to prevent credential theft. It's a way to stop attackers that have gained access to their usernames and passwords. One of the most common MFA practices sends a code to your smartphone, and it’s highly doubtful hackers will also have access to your phone. Enter that code and you’re in. It is very effective at protecting cloud accounts and has been for many years.
Multi-Factor Authentication (MFA) is growing faster than ever, but every time something throws a stick in hackers’ spokes, they look for (and usually find) a ‘workaround’. Enter ‘Push-Bombing.’
How a Push-Bombing Attack Works
MFA becomes an automated procedure when the company admin or IT Support enables it on an account. The user requesting access enters their login credentials and receives a code or an authorization prompt of some type – usually in a text sent to the user’s phone. The user enters the code, and the system filters the entered code to complete the login.
Then, the MFA code or approval request will generally come through some type of ‘push’ message, so named because the message or notification is ‘pushed’ to the user even if they are not yet active on the app. Users can receive it several ways:
- SMS/text
- A device popup
- An app notification
It is a normal part of a multi-factor authentication login to receive that notification, and once they have been initiated into MFA, the user would know how this works – and tends to think nothing of it.
The push-bombing attack happens when the hackers start with the user’s stolen credentials, possibly getting them through phishing or from a large data breach password dump, then the hackers attempt to log in many times, which sends the legitimate user a bunch of push notifications, one after the other.
There’s nothing unreasonable about questioning all those additional, unexpected codes. While this should immediately raise a red flag, the hacker hopes the user will get frustrated and mistakenly click to approve access. This mistake happens enough to warrant cyber crooks using the Push Bombing tactic over and over.
Push-bombing is a form of social engineering attack designed to:
- Confuse the user
- Wear the user down
- Trick the user into approving the MFA request to give the hacker access
How to Defend Against Push-Bombing
Employee Training
Here at ITFIRM.COM, we harp on this over and over and over – and for good reason. Human error is at the root of the 90-plus percentage of successful cyber-attacks. When a user experiences a push-bombing attack it can be disruptive and confusing, but educating employees beforehand makes them better prepared to defend themselves.
Part of your ongoing Security Awareness Training should be what a push-bombing attack is, how it works, what it’s going to look like when it happens, and what to do about it. Provide them with training on what to do if they receive a slew of MFA notifications they didn’t request.
Establish a specific Incident Response Plan (IRP) for your staff to report these attacks. This enables your IT support team to spread the word to other users and take any necessary additional steps to secure everyone’s login credentials.
Pare Down Business App ‘Sprawl’
On average, employees use 36 different cloud-based services per day according to CloudZero. That’s a lot of logins to keep up with, so exasperated workers will often try to get through the login and MFA quickly. The more logins someone has to use, the greater the risk of a stolen password and the greater possibility of push-bombing.
Perform an audit of how many applications your company uses and find ways to reduce app ‘sprawl’ by consolidating them and getting rid of apps that do the same thing. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.
Initiate Phishing-Resistant MFA Solutions
It’s possible to thwart push-bombing attacks altogether by moving to a different form of MFA. Phishing-resistant MFA uses a device passkey or physical security key for authentication, any of which are easy for your internal IT services department or outsourced Managed Services Provider (MSP) to set up.
This takes push-notification out of the picture. This solution is a bit more complex to set up, but it’s also more secure than text or app-based MFA.
Adopt and Enforce Strong Password Policies
Do NOT let your employees get away with using ridiculous, easy to crack passwords like ‘123456!’ Enforcing strong password policies reduces the chance that a password will get breached, because hackers absolutely need to have the user’s login to send multiple push-notifications.
Strong password policies include:
- Using at least one upper and one lower-case letter
- Using a combination of letters, numbers, and symbols
- Not using personal information to create a password
- Storing passwords securely with a Password Manager
- Not reusing passwords across several accounts
Adopt Identity Management Solutions
Establishing Identity Management solutions can also help you prevent push-bombing attacks. In a nutshell, they typically combine all logins through a single sign-on solution. Users then have just one login and MFA prompt to manage, rather than an unwieldy number.
You can also use identity management solutions to install contextual login policies as well, which enable a higher level of security by adding access enforcement flexibility. For example, the system could automatically block login attempts outside of a desired geographic area. It could also block logins during certain times (when users usually are NOT logging in) or when other contextual factors aren’t met.
Frequently Asked Questions
What is push phishing?
It is effectively a smaller scale version of push-bombing: it sends a phony notification only once, whereas bombing sends them many times.
Do I really need a password manager?
Need? Maybe not, but it certainly makes logins ‘easy-peasy,’ especially if you’re juggling dozens of passwords. On your main work device, once you plug the login credentials in, then when you go back to that app or website, the password manager will open a small window asking if you want it to provide the credentials. Just click once and you’re in!
When should security awareness training be provided to new employees?
Very soon after starting day. New hires should complete security awareness training within the first 10 days of employment. Once they have access to the network apps, they are either a danger or a defender. Training should be repeated every 3 to 4 months for all employees.
What are the three A's of identity and access management?
Identity and Access Management (IAM) is made up of these core elements:
Authentication - simply ensures that the user logging is who they say they are.
Authorization - simply determines the user trying to log in is authentic, authorizes and grants their access.
Analytics - specifically concerning user behavior: If Bob only logs in between 8am and 5pm Monday through Friday, him logging in at 10pm Saturday bears looking into.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFIRM.COM offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our Managed IT Services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
Contact ITFIRM.COM today! We have the experience to ensure a seamless transition. After the move, your employees will arrive at the new location to find their IT infrastructure ready and open for business!
For more information on office moves, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
