One of the latest attacks on iPhone sees malicious parties abusing the Apple ID password reset system to flood users with iOS prompts to take back their accounts. Here’s how to protect yourself against iPhone password reset attacks (often called “MFA bombing”).
We’ve recently heard about Apple users being targeted with MFA bombing (also known as MFA fatigue or push bombing). This isn’t a new attack, but it can be a convincing scam because it sends victims official iOS password reset prompts.
As detailed by Krebs on safety (via Parth Patel), Attackers abusing this vulnerability appear to be doing so via an Apple user’s phone number, which can bombard your iPhone and other Apple devices with more than 100 MFA (multi-factor authentication) prompts to reset your Apple ID password.
Updated 04/21/24: We haven’t seen more cases of this attack being “bombed” since Apple released a patch in late March. However, a 9to5Mac My teammate and I both saw the password attack this weekend on our Apple devices.
In my case, I received the password reset prompt on both my iPhone and Mac. Fortunately, there was only one prompt on each device, so they quickly declined. Meanwhile, my colleague Bradley got five.
Stay alert and safe out there!
Updated 03/28/24 at 2:40 p.m. PT: 9to5Mac heard from an Apple spokesperson about this issue. The company is aware of a few recent cases of these phishing attacks and Apple has taken steps to address the issue.
How to protect yourself against iPhone password reset attacks
- Decline, decline, decline
- Since password reset requests are a system-level alert, this seems compelling – but be sure to choose “Not to allow” for everyone
- Attackers exhaust their victims by bombarding them with hundreds of messages, sometimes over several days – keep choosing. “Not to allow” and optionally use step 3 below
- Note: If you see a password reset prompt on the web that may be another phishing scam, close the page because either button could lead to a malicious link
- Do not answer phone calls – even if the caller ID says “Apple Support” or similar
- Attackers use call spoofing which can make the incoming number appear as the official Apple Support phone number and they may be able to verify personal information, making the scam appear to be legitimate.
- Then they try to get a one-time password from you to take over your Apple account.
- If in doubt, decline the call – and call Apple again (800.275.2273 in the US) – call spoofing should not be able to intercept your outgoing call to the real Apple.
- Apple highlights it will not do outgoing calls “unless the customer requests to be contacted” and you must never share one-time codes with anyone
- Temporarily change your phone number associated with your Apple ID
- If you continue to receive the prompts, changing your phone number linked to your Apple ID should stop them
- However, keep in mind it will interfere with iMessage and FaceTime
More details
As noted in Krebs’ security article, it appears there is a rate-limiting issue with the Apple ID password reset system.
What reasonably designed authentication system would send dozens of password change requests in a matter of moments, when the first few requests weren’t even processed by the user? Could this be the result of a bug in Apple’s systems?
Hopefully Apple is working on a fix so malicious parties can’t abuse this system. But unfortunately, the password reset scam has been pushed by users for at least two years (probably more).
A recent victim said a senior engineer at Apple advised her to enable the recovery key feature for her Apple ID to stop password reset notifications. However, upon further testing, this was not the case, and the Apple recovery key verified by Krebs on Security does not prevent password reset prompts.
Related:
Images from 9to5Mac
FTC: We use automatic, revenue-generating affiliate links. More.
News Source : 9to5mac.com
Gn tech
