MFA prompt bombing scam
An MFA prompt scam resulted in student and staff accounts being compromised at UQ.
What is the scam?
MFA prompt bombing is a cyber-attack that uses multi-factor authentication, such as SMS, email and MFA apps to trick you into giving a hacker access to your account.
The hacker repeatedly sends MFA requests to your device in the hope you will be caught off guard or irritated by the multiple notifications and approve the request without checking if it is from a legitimate source.
This attack happened at UQ. A staff member noticed an MFA pop-up appear on their staff account. They approved the notification and as a result, their account was compromised and hackers sent emails from the staff member's account to staff and students across UQ. The prompt took staff and students to a fake Microsoft sign-in page.
A number of staff and students logged into the page, each giving away their credentials to the hackers. Our Cyber Security Operations Centre (CSOC) were able to lock down the accounts and block the URLs.
How can you protect yourself?
- Never approve a login attempt that you did not initiate yourself.
- Always check URLs before entering login details.
- Use an MFA that requires a code to be entered rather than just a prompt-based MFA request.
- Change your password - If you are receiving MFA notifications from an unknown source it is most likely your password(s) have been stolen.
What to do if you have (or think you have) fallen victim?
Work devices
- Alert the Cyber Security Operations Centre (CSOC) by reporting a cyber concern.
Personal devices
- If you have entered login credentials, change your password immediately. If you have used that password across multiple accounts, ensure you change your password for each account. See Use Secure Passwords for more information.
- If you have entered your credit card or account details, contact your financial institution immediately.
- Notify your friends, family and online contacts to use caution if they receive communications from you.
- Enable multi-factor authentication (MFA) which requires a code to be entered, on all accounts where possible. See MFA for more information.
- Report the scam to the ACCC Scamwatch. This helps warn others about current scams and disrupts scams where possible.
- If your personal information has been put at risk, contact IDCare for support.