iPhone users are somewhat accustomed to the occasional Apple ID password prompt on their iPhone, but a new phishing attack might make them think twice about mindlessly entering their password on more valuable. As Krebs pointed out on security, Apple customers are the target of a “push bombing” or “MFA fatigue” phishing campaign in which attackers repeatedly send two-actor authentication notifications to Apple devices.
As documented in a Parth Patel’s Twitter/X feed, all of his Apple devices started “blowing up” with push notifications asking him to reset his Apple ID password. All said he had to delete around 100 notifications before the attack ended. Although Patel knew better than to get caught out by the notification, other Apple users might not be so lucky, especially when their devices are bombarded with requests.
Apple’s Forgotten Password page allows users to request multiple password resets and send a notification to all your devices each time.
Apple’s Forgotten Password page allows users to request multiple password resets and send a notification to all your devices each time.
Foundry
Apple’s Forgotten Password page allows users to request multiple password resets and send a notification to all your devices each time.
Foundry
Foundry
Notifications seem real because they are real. The attackers appear to be exploiting “a bug in Apple systems” that sends legitimate notifications to all Apple devices connected to that Apple ID when someone attempts to reset a password via the “Forgot your password?” page. The simple attack doesn’t appear to require much information other than a phone number and email address, and Apple’s system allows someone to repeatedly request a password reset in the hope that one of the requests will be authorized.
Next, the user will receive a follow-up phone call from “Apple Support” (spoofed as coming from Apple’s own support number, 1-800-275-2273), telling them that their account is under attack and that they should check one out. -time code. Once attackers receive this code, they can reset your password and hack your Apple ID.
Another user reports receiving a similar alert on their Apple Watch that was suspicious enough for them to activate their Apple ID recovery key, which is a “randomly generated 28-character code that helps improve the security of your account Apple ID by giving you more control over resetting your password to regain access to your account. However, while recovery keys should make it difficult for attackers to change your Apple ID password, it won’t stop notifications from arriving.
Until Apple responds with a fix, the best you can do to stop the attack is to repeatedly undo or tap “Don’t Allow” for any password reset notifications that you did not initiate. And as always, never give anyone a two-factor code, even if it claims to be from Apple.
