Several Apple users have been bombarded with hundreds of unsolicited password reset requests
Some have even received calls from the attackers on denying password requests
Apple has yet to officially acknowledge the attack
Beware Apple users – a phishing scam is doing the rounds, targeting Apple devices. It’s being called as ‘MFA Bombing’ where unknown threat actors send you unsolicited system-level password reset requests, and loads of them.
The attack is not just limited to iPhones. Many users have reported that the constant pop-ups also prevented them from using their MacBook and Apple smartwatch until each and every one of them was manually deleted.
The incident was brought to light through a blog post by Krebs on Security (by security blogger Brian Krebs) and a user on X named Parth Patel, an AI entrepreneur.
Patel said that he was bombarded with more than 100 requests and had to manually deny each of them to be able to access his device again. Then, 15 minutes later he got a call from the hackers pretending to be Apple’s support team. He was told that his account was under attack and that he needed to share an OTP with them to secure it again.
Good on Patel that he was immediately suspicious and asked the fake Apple staff to verify some of his details such as name, email, old emails, phone number, address, date of birth, etc. Surprisingly, the caller was able to get most of the answers right, except Parth’s name. When they addressed him as Anthony S, he knew something was off and disconnected the call.
I distinctly remember [PeopleDataLabs] mixing me up with a midwestern elementary school teacher named Anthony S.Parth Patel
In case Patel ended up sharing the OTP with the attackers, they would have logged him out of all his Apple devices and even wiped his data.
What’s interesting is this wasn’t a standalone instance. Several other users have had similar experiences. One of the targeted user said that he was awakened in the middle of the night by the sound of notifications and almost clicked on “Allow” in his sleepy state.
Apple is also in the eye of the storm of a landmark lawsuit brought against it by the DOJ for allegedly monopolizing the smartphone market.
Why Did the Attackers Send 100+ Reset Requests?
The reason behind the attackers sending so many notifications is to trick the users into pressing “Allow.”
It’s easy to see how being bombarded with pop-ups left, right, and center might lead users to accidentally click Allow, or they might do it out of frustration in an attempt to prevent more pop-ups. Either way, if they give in, their device will be compromised.
These types of attacks are called multi-factor fatigue attacks and have been quite popular in the last few years—so much so that Microsoft (which is undergoing an attack by Russia-backed hackers) had to change the way its MFA codes worked just to avoid them.
However, Apple is unfortunately yet to take a step against it. In fact, Apple hasn’t yet commented on the issue at hand, either.
Some industry experts have already identified the underlying problem.
According to Krebs, the attackers found a bug in Apple’s password reset feature and exploited it to send these unwanted reset requests.
Adding to it, software engineer Kishan Bagaria said that the company’s password reset tool may have a problem with rate-limiting i.e. how many password reset requests can be sent within a certain duration.
How Can You Protect Yourself from Such Attacks?
Since it’s a system-level attack, there isn’t much you can do but wait for Apple to fix it. In the meantime, stay vigilant and keep clicking on “Don’t Allow” every time you get a popup—even if you’re sleepy!
In case you accidentally click on “Allow” and get a call, don’t share any OTP with the fake Apple representatives.
Another option is to turn on the Apple Recovery Key option. It randomly generates a 28-character passcode, so it will make it harder for the hackers to reset your password.
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : TechReport – https://techreport.com/news/apple-users-spammed-unwanted-password-reset-requests/