One of the latest attacks on the iPhone allows malicious actors to exploit the Apple ID password reset system and bombard users with iOS prompts asking them to take over their accounts. Here’s how to protect yourself from iPhone password reset attacks (often referred to as “MFA bombing”).
Recently, we heard about Apple users being targeted by MFA bombing (also known as MFA fatigue or push bombing). This is not a new attack, but it can be a convincing scam as it pushes an official iOS password reset prompt to the victim.
As described in detail, Krebs talks about security According to (via Parth Patel), attackers who are exploiting this vulnerability appear to be doing so through Apple users’ phone numbers. This could allow iPhones and other Apple devices to be attacked with over 100 MFA (multi-factor authentication) system prompts to reset Apple ID passwords.
Updated April 21, 2024: We haven’t seen any more “bomb” incidents from this attack since Apple went ahead with the fix at the end of March. however, 9to5 mac My teammates and I both witnessed password attacks on Apple devices this weekend.
In my case, I was prompted to reset my password on my iPhone and Mac. Fortunately, it was only one prompt on each device, so it was quickly rejected. Meanwhile, my colleague Bradley scored his 5 points.
Stay alert and safe outside!
Updated March 28, 2024 2:40 PM PT: 9to5 mac We’ve heard from an Apple spokesperson regarding this issue. The company is aware of several recent cases of these phishing attacks, and Apple has taken steps to resolve the issue.
How to protect against iPhone password reset attacks
- decline, decline, decline
- The password reset request is a system-level alert, so it may seem convincing, but be sure to select it. “unforgivable” for all of them
- One way attackers exhaust their victims is by bombarding them with hundreds of prompts, sometimes over several days. “unforgivable” Use step 3 below if necessary
- Note: If you see a password reset prompt on the web that may be another phishing scam, click Please close the page Because both buttons can lead to malicious links
- please don’t answer the phone – Even if the caller ID says “Apple Support” or something similar.
- Attackers use call spoofing to make the incoming number look like the official Apple Support phone number, which allows them to verify personal information and make the scam appear legitimate.
- Next, they will try to get a one-time passcode from you to take over your Apple account.
- If in doubt, decline the call and call Apple back at 800.275.2273 in the US. Spoofed calls cannot intercept outgoing calls to genuine Apple.
- Apple emphasizes that won’t make it Outbound calls are made “unless the customer wishes to be contacted.” Do not share your one-time code with anyone
- Temporarily change your phone number associated with your Apple ID
- If the prompt continues to appear, change the phone number associated with your Apple ID and the prompt will no longer appear.
- However, please remember This interferes with iMessage and FaceTime
Learn more
As noted in the Krebs on Security article, there appears to be a rate-limiting issue with the Apple ID password reset system.
Is there a wisely designed authentication system that sends out dozens of password change requests in a few minutes when the first request has never been processed by the user? This is the result of a bug in Apple’s system. Is not it?
We hope Apple is working on a fix to prevent malicious parties from exploiting this system. Unfortunately, password reset scams have been noticed by users for at least two years (and probably more).
A recent victim said he was advised by a senior Apple engineer to turn on the recovery key feature for his Apple ID to stop password reset notifications. However, upon further testing, Krebs on Security verified that the Apple Recovery Key does not block the password reset prompt.
Related:
Image by 9to5Mac
FTC: We use automated affiliate links that generate income. more.
