Article 6KPEK Apple Users Are Being Spammed with Unwanted Password Reset Requests as Part of ‘MFA Bombing’

Apple Users Are Being Spammed with Unwanted Password Reset Requests as Part of ‘MFA Bombing’

by
Krishi Chowdhary
from Techreport on (#6KPEK)
jonas-lee-o6elTKWZ5bI-unsplash-1200x801.
  • Several Apple users have been bombarded with hundreds of unsolicited password reset requests
  • Some have even received calls from the attackers on denying password requests
  • Apple has yet to officially acknowledge the attack

jonas-lee-o6elTKWZ5bI-unsplash-300x200.j

Beware Apple users - a phishing scam is doing the rounds, targeting Apple devices. It's being called as MFA Bombing' where unknown threat actors send you unsolicited system-level password reset requests, and loads of them.

The attack is not just limited to iPhones. Many users have reported that the constant pop-ups also prevented them from using their MacBook and Apple smartwatch until each and every one of them was manually deleted.

The incident was brought to light through a blog post by Krebs on Security (by security blogger Brian Krebs) and a user on X named Parth Patel, an AI entrepreneur.

Patel said that he was bombarded with more than 100 requests and had to manually deny each of them to be able to access his device again. Then, 15 minutes later he got a call from the hackers pretending to be Apple's support team. He was told that his account was under attack and that he needed to share an OTP with them to secure it again.

Good on Patel that he was immediately suspicious and asked the fake Apple staff to verify some of his details such as name, email, old emails, phone number, address, date of birth, etc. Surprisingly, the caller was able to get most of the answers right, except Parth's name. When they addressed him as Anthony S, he knew something was off and disconnected the call.

I distinctly remember [PeopleDataLabs] mixing me up with a midwestern elementary school teacher named Anthony S.Parth Patel

In case Patel ended up sharing the OTP with the attackers, they would have logged him out of all his Apple devices and even wiped his data.

What's interesting is this wasn't a standalone instance. Several other users have had similar experiences. One of the targeted user said that he was awakened in the middle of the night by the sound of notifications and almost clicked on Allow" in his sleepy state.

Apple is also in the eye of the storm of a landmark lawsuit brought against it by the DOJ for allegedly monopolizing the smartphone market.

Why Did the Attackers Send 100+ Reset Requests?The reason behind the attackers sending so many notifications is to trick the users into pressing Allow."

It's easy to see how being bombarded with pop-ups left, right, and center might lead users to accidentally click Allow, or they might do it out of frustration in an attempt to prevent more pop-ups. Either way, if they give in, their device will be compromised.

These types of attacks are called multi-factor fatigue attacks and have been quite popular in the last few years-so much so that Microsoft (which is undergoing an attack by Russia-backed hackers) had to change the way its MFA codes worked just to avoid them.

However, Apple is unfortunately yet to take a step against it. In fact, Apple hasn't yet commented on the issue at hand, either.

Some industry experts have already identified the underlying problem.

  • According to Krebs, the attackers found a bug in Apple's password reset feature and exploited it to send these unwanted reset requests.
  • Adding to it, software engineer Kishan Bagaria said that the company's password reset tool may have a problem with rate-limiting i.e. how many password reset requests can be sent within a certain duration.
How Can You Protect Yourself from Such Attacks?

Since it's a system-level attack, there isn't much you can do but wait for Apple to fix it. In the meantime, stay vigilant and keep clicking on Don't Allow" every time you get a popup-even if you're sleepy!

In case you accidentally click on Allow" and get a call, don't share any OTP with the fake Apple representatives.

Another option is to turn on the Apple Recovery Key option. It randomly generates a 28-character passcode, so it will make it harder for the hackers to reset your password.

The post Apple Users Are Being Spammed with Unwanted Password Reset Requests as Part of MFA Bombing' appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments