The Rising Cyber Threat: Emotional Manipulation and MFA Fatigue

Understanding the Latest Cyber Threat

Recently, the Bengaluru police have alerted the public about a new form of malware attack disguised as emotional content. This includes videos or images related to incidents like the Pahalgam attack. Once these files are downloaded, they initiate a process known as "push bombing" or MFA fatigue, compromising user accounts.

What is "Push Bombing" or MFA Fatigue?

Push bombing involves overwhelming a user's device with repeated multi-factor authentication (MFA) approval requests. Attackers rely on the chance that the user might accidentally approve one of these requests out of fatigue, granting access to their account.

Bypassing MFA Security

While MFA adds an extra layer of security, attackers exploit it using social engineering and leaked passwords from previous data breaches. They trick users into approving access themselves, thereby bypassing the intended security measures.

How is the Malware Spread?

The malware spreads through viral content that masquerades as emotional appeals, such as messages urging users to "watch this tourist's last message" or "set this as your DP." Downloading these files installs malware, triggering the MFA fatigue cycle.

Why This Campaign is More Dangerous

This campaign stands out because it targets regular users at scale using emotional manipulation, making it harder to detect. Unlike corporate attacks, these tactics exploit human emotion and urgency rather than just technical vulnerabilities.

Consequences of Approving a Malicious MFA Prompt

• Attackers can take over your email, resetting linked accounts.
• They might impersonate you online.
• Spyware can be installed to monitor your activities.
• Money could be stolen from your banking apps or e-wallets.

Emotional Content in Cyber Attacks

Emotional or tragic content is deliberately used to lower user defenses, prompting them to act without caution. It manipulates empathy and urgency, tricking users into downloading or approving harmful files.

Staying Safe

• Avoid downloading or opening files from unverified sources, regardless of their emotional appeal.
• If you receive repeated MFA requests, deny them and change your password immediately.
• Opt for app-based or biometric MFA instead of SMS/email prompts.
• Utilize trusted antivirus software and keep your devices updated.
• Stay vigilant during periods of public tragedy, when emotional scams are more prevalent.

Is MFA Still Safe?

Yes, MFA remains a crucial security measure. However, awareness of fatigue attacks is essential. Never approve repeated prompts without certainty, as vigilance is key to maintaining security.

Broader Lessons from This Threat

Today's cyberattacks increasingly combine technical methods with psychological manipulation. Security hinges not only on robust systems but also on informed users who can resist emotional bait and think before clicking. As the digital age evolves, the weakest link is often the unsuspecting human.