Reports have emerged of numerous Apple iPhone users encountering several system-level password reset requests, signaling a potentially widespread phishing campaign known as ‘MFA Bombing’. These requests can stop users from using their phones until they deal with each one.
Kerbs on Security’s recent blog post sheds light on this alarming trend, suggesting that a flaw in Apple’s password reset mechanism could be exploited to bombard users with reset prompts. If users mistakenly click ‘Allow’ or reject all reset requests, scammers may resort to calling, posing as Apple’s official support team.
Impersonating genuine Apple representatives, these fraudsters deceive users into believing their accounts are compromised, requesting a one-time verification code. If provided, it grants the scammers access to log out of all Apple devices and potentially wipe them remotely.
As per an investigation conducted by KrebsOnSecurity, the attackers bypass the system’s intended security measures by exploiting Apple’s forgotten Apple ID password page. Even though CAPTCHA is in place, attackers can flood users with numerous messages, possibly exploiting a vulnerability in Apple’s system.
Parth Patel, sharing his experience on X, revealed how scammers, despite providing accurate personal details, exposed their ruse by addressing him as ‘Anthony S.’ The scammers requested him to disclose a one-time code, which he promptly refused. Instead, he asked the fraudulent Apple representative to confirm personal details such as his past address, current address, phone number, date of birth, and email.
Given the intrusive nature of the phishing attack, it is important to adopt measures to mitigate the risks of getting scammed. Users are advised to consistently reject system-level password reset requests by selecting ‘Don’t Allow’ whenever prompted, as there is currently no alternative recourse. Should users permit access and receive requests for a verification code over the phone, exercising caution is paramount.
Additionally, it’s important to note that genuine Apple representatives will never ask users for personal information to verify their identity. If someone on the phone does ask for such details, they are likely impersonating an official Apple support agent.
Alert! #Apple Users Targeted With Fake Password Reset Requestshttps://t.co/AvTnz8x96g
— TIMES NOW (@TimesNow) March 28, 2024
Another proactive measure to safeguard against such attacks is to activate the ‘Apple Recovery Key’ feature. This option utilizes a lengthy passcode, making it difficult for attackers to reset your Apple account password.
By being aware and following these precautionary measures, Apple users can strengthen their defenses against the risks of ‘MFA Bombing’ and safeguard their digital assets from malicious exploitation.