Infostealer Malware Threat Grows as MFA Fatigue Attacks Spread 

Information stealer malware flourished on underground criminal networks in 2022, along with a rise in multifactor authentication (MFA) fatigue attacks, according to research from Accenture’s Cyber Threat Intelligence team.

Infostealers are malicious software packages designed to steal victims’ information, including their passwords.

In MFA fatigue, an attacker floods an end user’s MFA device, typically a phone, with notifications to approve a login attempt. The intent is to tire the end-user out so they finally approve a login request to make the notifications stop.

The report found cybercriminals have stepped up offerings of infostealer malware variants to take advantage of demand, noting a rise of compromised credential marketplaces and a shift toward private sales for quality logs.

More Lucrative Than Ransomware

Timothy Morris, chief security advisor at Tanium, said he thinks infostealer malware may be flourishing because extortion is thriving, and extortion is more lucrative and simpler than ransomware.

“Most people think of extortion as holding data of an enterprise hostage or threats of leaking the stolen data during or after a ransomware attack—that is typical second-level extortion,” he explained. “The third level are the threats to leak the data of the individuals or entities contained within the data that has been exfiltrated.”

He added that this third layer of extortion can be arrived at by simply stealing the information, which infostealer malware is good—and mature—at doing.

“The same skills and infrastructure used to write and operate a banking trojan can be modified and used as an infostealer campaign,” Morris said. “The criminals are already good at evading detection and have modernized that.”

Patrick Tiquet, vice president of security and architecture at Keeper Security, pointed out that cyberattacks are constantly evolving and, as they continue to grow in sophistication and volume, intrusions that combine both phishing and social engineering are becoming more common.

“It is difficult to detect these types of attacks when they mimic legitimate user activity, especially if an attacker is able to compromise both login credentials and MFA,” he says.

He noted a recent trend involves cybercriminals attempting to intercept emails and text messages with authentication or one-time passcodes.

MFA Fatigue

Another method of bypassing MFA is by “bombing” the user with MFA requests until they become so fatigued that they accept one, either on purpose or accidentally.

“It’s important to note that while MFA is still a best practice for protecting your passwords against these types of attacks, not all MFA methods are created equal and none are infallible,” he says. “That’s why it’s important to use a password manager with zero-trust architecture as a first line of defense.”

A password manager will create high-strength random passwords for every website, application and system and encrypt passwords to limit any information a bad actor can access.

“Password managers will also enable strong forms of two-factor authentication, such as an authenticator app, to protect against remote data breaches,” Tiquet explained. 

Joseph Carson, chief security scientist and advisory CISO at Delinea, said MFA fatigue has increased as more organizations enforced MFA for many of their employees.

“Getting the balance right between security and productivity is always a fine line, and when you get it wrong it results in cybersecurity fatigue,” he explained. “Security has always caused friction for employees, such as antivirus making their device slow or firewalls preventing them from accessing legitimate business applications.”

Carson said finding the right balance between productivity and security is essential and involves moving more security controls into the background. That way they can continue to verify both the authorization and authentication—such as whether the request comes from the same location as the push notification is being sent.  

“Using privileged access management to ensure strong, unique passwords for every account makes it more difficult for attackers to even try abusing MFA fatigue,” he adds. 

Carson explained that while MFA is one way to reduce risks, it is not 100% protection and security pros must always take a “defense-in-depth” approach to cybersecurity. They should move as much security as they can into the background so security becomes usable and results in less friction and fatigue, he added. 

“Solid cybersecurity awareness training is also critical so employees know how to identify a suspicious MFA push notification,” he noted.

Morris agreed that it’s equally important to train employees to identify suspicious phishing emails or smishing text messages seeking to install malware into critical systems, prevent user access and steal sensitive data.

“Employees must also be made aware of MFA bombing, so they know to escalate the issue to IT instead of trying to log in themselves, accidentally giving a cybercriminal access to their accounts,” he added.