Skip to main content

Cybersecurity tips

April 29, 2022

Beware of this hacker technique misusing the Duo application

Technology & Innovation Cybersecurity Program Manager Albert Lee shares these tips about how to respond to a new hacker technique called "MFA prompt bombing."

Cybersecurity as illustrated by a digital shield with a lock icon

It's the middle of the night and you groggily awaken to the familiar digital tone of a prompt from multi-factor authentication app, Duo. “Strange,” you think. “I wasn't logging into anything.” You're exhausted, so you ignore it and go back to sleep, only to be disturbed again by incessant prompts. Eventually, you just hit “Yes” to make it stop. And the prompts do stop, so you go back to sleep. In the morning, you find out your email account has been compromised and your files have been deleted.

This hacker technique is called multi-factor authentication (MFA) prompt bombing. It's designed to overwhelm a target with prompts in hopes that the target, either intentionally or accidentally, approves the authentication attempt. This technique was successfully used in the major technology supply-chain attack at Solarwinds as well as in a security breach at Microsoft just last month that resulted in a compromise of software source code.

The technique is effective because it targets the human response rather than the technology itself. At the University of Virginia, we've reduced the risk of this form of attack by temporarily blocking Duo prompts after 10 consecutive prompts have been ignored or denied. But the most effective protection is your awareness that if multiple MFA prompts are coming in, you're likely being targeted.

What to do if you are targeted: MFA prompts come after a correct password has been entered, so if you are receiving multiple Duo prompts and you are not the source of them, 1) ignore the prompts, and 2) contact UVA ITS Help Desk at 434-924-4357 (be suspicious of incoming calls claiming to be authorities) and let them know an unknown person is pushing Duo prompts to your phone and that your password may be compromised. They'll investigate the source of the prompts and walk you through resetting your password if necessary.

About the author

Albert Lee
Cybersecurity Program Manager
Systems Administrator
Technology & Innovation
(434) 982-5471