It’s 3:00AM and your phone keeps beeping. There’s a pop-up on your screen that’s prompting you to agree to log in to one of your accounts. While someone’s first instinct might be to blindly hit the “OK” option so they can go back to sleep, this could be the first step towards a potential data breach.
What is Prompt Bombing?
At its core, Prompt Bombing is a form of social engineering. Most of us tend to think of social engineering tactics as involving attackers using fear or titillation to get people to click a link or run a file. But there are other emotional states that can be useful for short-circuiting our better judgement, and there are other results of a distracted click that can be abused by criminals.
In the case of Prompt Bombing, annoyance can lead us to frustration and distraction. And that could cause us to click away notifications that would allow attackers to access our accounts or to execute malicious code.
The most obvious way to accomplish an effective level of annoyance would be for someone to send us an absurd number of some sort of notification that must be clicked away to allow us to keep doing whatever we were previously doing. Or they could make the screen display something really horrifying or embarrassing. But these are certainly not the only methods of irritating someone with a computer or mobile device, and criminals do not lack for creativity in accomplishing their nefarious deeds.
In recent news articles, discussion of Prompt Bombing has primarily revolved around the activities of LAPSUS$ and Cozy Bear. Specifically, it discusses their use of this technique to bypass multi-factor authentication (MFA). But it could be worthwhile for security practitioners to consider uses of this technique beyond the realm of password security. It could truly be used any time a user has to click through a prompt.
Security Education and Technology to the Rescue
For security people, our natural reaction to receiving a strange notification in the middle of the night is like drinking a strong shot of espresso. Most people are not going to respond in quite the same way, at least not without getting a bit more context first.
This is where we can offer some help in the form of technology and education.
Ideally, we should enable any available options that allow us to limit the rate at which someone can be prompted to do something. And we need to make use of technology that employs enhanced intelligence to understand what “normal” behavior is for each of our users, so we can prevent suspect behavior (or at least alert a security person to check things out!).
But there’s one more thing that needs to happen; we need to make sure our users understand what to do when they see this tactic. They need training to know why this behavior is suspicious, and what it means attackers are trying to do. They also need to know that they can come to us to report what they’ve seen, any time of the day or night, without fear of blame. Even if they’ve accidentally hit that “OK” button while fumbling with their phone in the dead of night.