University Community

Protect access to your account by recognizing MFA fatigue attacks, fake login screens

In order to help avoid cyberattacks, Ohio University students, faculty and staff are encouraged to learn how to recognize Multi-Factor Authentication (MFA) fatigue attacks and fake login screens.

MFA fatigue attacks

When you attempt to log into an application with your Ohio University account, you are often asked to verify your login with Multi-Factor Authentication (MFA). At OHIO, we use Azure MFA.

What is an MFA fatigue attack?

MFA fatigue attacks, sometimes referred to as MFA spamming or bombing, are a type of social engineering cyberattack. In these attacks, bad actors repeatedly send MFA requests to your device. These requests can appear legitimate, as they mimic the standard process of MFA, but their frequency and timing are unusual and relentless. The goal is to wear down the user into approving an authentication request, granting the attacker access to the user’s account.

How it works

For a bad actor to carry out an MFA fatigue attack, they first need a victim’s primary credentials. In this case, this means your OHIO email address and password. Attackers may obtain this through various means, including phishing and purchasing stolen credentials from the dark web.

The bad actor first uses your email and password to log in to an OHIO service, then begins to send MFA requests. They hope that due to the sheer number of requests, you will eventually confirm one out of fatigue or mistake, allowing the attacker the ability to log into your account.

What to do if attacked

If you believe you are a victim of an MFA fatigue attack, this means that a bad actor has access to your password. To stop the flood of MFA notifications, you need to update your login credentials. This can be done at https://account.ohio.edu/myid/. When in doubt, contact the Information Security Office at security@ohio.edu or 740-566-7233.

Importance of MFA

Many find Multi-Factor Authentication to be an annoyance. However, as we can see in the case of MFA fatigue attacks, a bad actor already has access to your password. Without MFA, the barrier for access to your personal details and data is greatly reduced, and your account would have been compromised.

Fake login pages

Overview

Another tactic employed by bad actors is creating fake login pages meant to mimic legitimate login pages. Instead of letting you log into your account, the fake page harvests your email and password.

How to recognize fake pages

OHIO's knowledge base provides a more detailed look into recognizing these malicious pages. Key indicators include:

  • Unusual URLs
  • Poor design or misspellings
    • Verified login pages for OHIO will include the OHIO woodcut design the login box, feature a picture of OHIO as the background and provide supportive help text in the login box directing to OHIO resources
  • Unexpected prompts for personal information

By staying vigilant and informed, you can protect your account from these types of attacks.

For more information, please see this Office of Information Technology webpage.

Published
October 4, 2024
Author
Staff reports