“MFA Fatigue” attack targets iPhone owners with endless password reset prompts
Enlarge / They look like normal notifications, but opening an iPhone with one or more of these stacked up, you won't be able to do much of anything until you tap "Allow" or "Don't Allow." And they're right next to each other. (credit: Kevin Purdy)
Human weaknesses are a rich target for phishing attacks. Making humans click "Don't Allow" over and over again in a phone prompt that can't be skipped is an angle some iCloud attackers are taking-and likely having some success.
Brian Krebs' at Krebs on Security detailed the attacks in a recent post, noting that "MFA Fatigue Attacks" are a known attack strategy. By repeatedly hitting a potential victim's device with multifactor authentication requests, the attack fills a device's screen with prompts that typically have yes/no options, often very close together. Apple's devices are just the latest rich target for this technique.
Both the Kremlin-backed Fancy Bear advanced persistent threat group and a rag-tag bunch of teenagers known as Lapsus$ have been known to use the technique, also known as MFA prompt bombing, successfully.