BENGALURU: Bengaluru police have warned of a new cyber threat involving malware that abuses ‘multi-factor authentication’ (MFA) systems, hidden inside images and videos shared in the name of Pahalgam attack.
The malware is disguised as content such as emotional posts urging users to “set this as your DP” or “watch this tourist’s final message”. Once downloaded, it triggers a tactic known as ‘MFA fatigue’, where repeated login prompts are sent to the victim’s device in the hope that they will accidentally approve one, unknowingly granting attackers access to data.
Cyber police said the technique — also called “push bombing” — has been used in corporate breaches before, but this is the first time it’s being deployed widely using emotionally charged content. MFA typically works by asking for an extra verification step — such as a one-time password sent via SMS or an approval prompt on the user’s device — after the correct password is entered. But attackers have found a way to manipulate this system.
Once a user downloads the malware-infected file, it begins sending repeated login approval requests and relies on the victim to unknowingly press “approve,” thinking it’s a routine notification. This effectively bypasses the security that MFA was supposed to provide.
Cyber police told TNIE that in these cases, the attackers already have access to users’ passwords, likely leaked from older data breaches and hence they aim to get past the second step — multi factor authentication — by pushing users into approving access themselves.
Once attackers crack MFA, the consequences can be far-reaching, a police official said, explaining that if they gain access to a user’s email, fraudsters can take over communications, impersonate the victim, or use it to reset passwords for other linked accounts including for online banking apps.
“After cracking MFA, fraudsters can even escalate their activities and install spyware to monitor user activity or hijacking accounts to steal money or manipulate the victim’s online presence,” the official added.
What makes this attack even more alarming is how difficult it is for users to recognize they have been compromised. MFA, considered to be the ultimate defence, becomes a tool for hackers when paired with social engineering techniques and human error. Social engineering techniques and human error play a crucial role in the success of cyberattacks that target MFA, a senior police officer said.
“In the case of MFA fatigue, attackers use emotionally charged content, such as images or videos related to tragic events, to create a sense of urgency or empathy.
This manipulation taps into a user’s instincts — people are more likely to let their guard down when they believe they are engaging with something emotionally significant or urgent. Once the user is drawn in by the content, they are more likely to act impulsively, approving a login request or downloading malicious files without thinking critically about the consequences,” the officer added.