Bengaluru cybercrime authorities have sounded an alert over a new malware threat that manipulates multi-factor authentication (MFA) systems using emotionally charged images and videos. The malware is reportedly being distributed through posts referencing the Pahalgam attack, with captions urging users to “set this as your DP” or “watch this tourist’s final message”.
Once a victim downloads the content, the malware triggers a technique called “MFA fatigue” or “push bombing”, wherein the user receives repeated login prompts. Cybercriminals rely on the victim mistakenly approving one of these prompts, thereby granting access to sensitive data.
Though MFA is designed to provide an extra layer of protection, attackers are leveraging previously leaked passwords and bypassing the system by targeting the human element. Once access is granted, criminals can hijack email accounts, impersonate users, reset banking passwords, or even install spyware for continuous monitoring.
Police warn that this tactic is especially dangerous due to its emotional manipulation. The attackers exploit users’ empathy and urgency, increasing the likelihood of careless actions. “People are more vulnerable when they believe they’re engaging with sensitive or tragic content,” a senior official explained.
This is the first widespread use of MFA-targeted malware via social engineering linked to emotional triggers, making it harder for users to identify the threat in time.
Citizens are urged not to download unknown files or approve unsolicited MFA prompts, no matter how compelling the message may seem.
Read Also: