Push-bombing: The newest hacking method to rely on human error.

Cybersecurity is a game of cat and mouse that plays out in a continuous loop. As soon as hackers discover a new way to penetrate an organization, cybersecurity experts quickly close the hole. The same thing happens in reverse. As security technology advances, hackers invent clever new ways to bypass these obstacles. Push-bombing is just the latest move in that game. 

Through the years, networks have become increasingly secure through a variety of technological means. Back doors into systems are not quite as common as they once were. As a result, hackers now frequently turn to the front door by going after login credentials. They do not need to break through the window if they can find the key to simply open the front door. 

To open the door, hackers use various methods (like phishing) to obtain login credentials. The goal is to gain access to business data as a valid user to be able to glean information to launch further attacks or steal directly. This problem has become quite severe. Between 2019 and 2021, account takeover (ATO) rose by 307%. 

To combat this problem, many organizations and individuals have turned to multi-factor authentication (MFA), which stops attackers that have gained access to usernames and passwords. MFA is very effective at protecting cloud accounts and has been for many years. 

However, once again, determined hackers have invented a new way to try to bypass this security tool—push-bombing. Like phishing and business email compromise, this hacking tool relies on human error and inattention instead of technological wizardry. 

How Does Push-Bombing Work?

To sign onto an MFA-enable account, a user enters their username and password and then typically receive a code or authorization prompt of some type. The MFA code or approval request will usually come through some type of “push” message through one of the following: 

• SMS/text 
• Email 
• A device popup 
• A dedicated MFA app notification 

That notification is a normal part of the MFA login. 

Push-bombing begins once a hacker has already stolen a user’s credentials, which may have been obtained through phishing or from a large data breach password dump. 

Taking advantage of the push notification process, hackers attempt to log in many times, sending the legitimate user several push notifications one after another. 

Many people question the receipt of an unexpected code that they didn’t request, but when someone is bombarded with these, it can be easy to mistakenly click “approve.” Push-bombing is a form of social engineering attack designed to: 

• Confuse the user 
• Wear the user down 
• Trick the user into approving the MFA request to give the hacker access 

How to Combat Push-Bombing at Your Organization

1. Educate Employees

Since push-bombing is a relatively new type of hacking method, when a user experiences an attack, they may be confused and unprepared. With a little education beforehand, they will be better prepared to defend themselves. 

Educate your employees. Explain what push-bombing is and how it works. Provide them with training on what to do if they receive MFA notifications that they did not request. 

You should also give your staff a way to report these attacks. Your IT security team can alert other users and take steps to secure everyone’s login credentials. 

2. Reduce Business App “Sprawl"

On average, an employee uses an alarming 36 different cloud-based services per day. The more logins someone has to use, the greater the risk of a stolen password. 

Take a look at how many applications your company uses and look for ways to reduce app “sprawl” by consolidating tools. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity. 

3. Adopt Phishing-Resistant MFA Solutions

You can thwart push-bombing attacks altogether by moving to a more advanced form of MFA. Phishing-resistant MFA uses a device passkey or physical security key for authentication with no push notification to approve. This solution is more complex to set up, but is more secure than text or app-based MFA. 

4. Enforce Strong Password Policies

For hackers to send several push-notifications, they must first have the user’s login. Strong, enforced password policies reduces the chance that a password will get breached. You can read more about password security in this post, but to get started: 

• Use at least one upper and one lower-case letter 
• Use a combination of letters, numbers, and symbols 
• Do not use personal information to create a password 
• Store passwords securely 
• Do not reuse passwords across several accounts 

5. Implement an Advanced Identity Management Solution

Advanced identity management solutions combine all logins through a single sign-on solution. Users, have just one login and MFA prompt to manage, rather than several. 

Additionally, businesses can use identity management solutions to implement contextual login polici which enable a higher level of security. Using these settings, a system could automatically block login attempts outside of a designated geographic area, block logins during certain times, or prevent access when other contextual factors are not met.