🔴 Attackers have stopped trying to steal your clients' MFA codes. They just wait for someone to approve a fake request instead

MFA was supposed to close the door on account takeovers, right? But it hasn’t… because attackers stopped trying to steal the second factor and started exploiting the human approving it instead.

This technique is called MFA prompt bombing. An attacker gets hold of valid credentials, easily sourced from breached password dumps, then repeatedly triggers push notification requests to the victim’s phone.

Dozens of them, sometimes hundreds. The goal is simple: wear the person down until they approve one just to make it stop. And it works. Regularly. The Hacker News

The more sophisticated version pairs the bombing with a vishing call. Someone rings the victim pretending to be from IT support, explains there’s a system issue, and asks them to approve the next notification to resolve it.

Three practical things you can do to protect clients from this:

1. Switch push-only MFA to number matching. The user has to type a code shown on screen into their phone rather than just tapping approve, which breaks the prompt bombing technique entirely

2. Set alert thresholds for repeated failed MFA prompts. Three or more in quick succession should trigger an investigation, not just a log entry

3. Tell clients explicitly: if they receive unexpected MFA requests they didn’t initiate, the answer is always no… and they should call your team immediately.

🟡 Dutch police seized 800 servers and arrested two people for running infrastructure that enabled global cyberattacks

A coordinated operation by the Dutch National High Tech Crime Unit last week took down one of Europe’s largest bulletproof hosting operations…seizing 800 servers and arresting two people running the infrastructure. Krebs on Security

Bulletproof hosting is the engine room of cybercrime. Servers specifically configured to ignore takedown requests and abuse complaints, rented to ransomware groups, phishing operations, and DDoS-for-hire services.

The seized infrastructure was being used by multiple active threat groups to host command-and-control servers, malware distribution points, and stolen credential databases.

🟢 The Boss wrote an AI app. Management love it. Now everyone has to use it…

This week’s BOFH column from The Register is required reading if you ever deployed software you didn’t choose, to users who didn’t want it, on behalf of a decision maker who didn’t understand it. The Register

That’s it for Wednesday. We’ll be back in your inbox tomorrow morning. Have a great day.