PSA: Some Apple users are being spammed with password reset notifications in an attack known as "MFA Bombing"
- by autobot
- March 29, 2024
- Source article
Publisher object (8)
Some Apple users are being targeted in an elaborate phishing attack that's been dubbed , which takes advantage of a bug in Apple's password reset mechanism and the fact that most people are impatient and careless. The attack goes like this. A user being targeted with be on their Apple devices. On your iPhone, you might see a notification like the one pictured above, which also says "Use this iPhone to reset your Apple ID password." To dismiss the notification, the user would have to go into each and every one of them and deny the request by clicking "Don't Allow." that he was recently the target of such an attack and received as many as 100 such notifications. Last night, I was targeted for a sophisticated phishing attack on my Apple ID.
This was a high effort concentrated attempt at me.
Other founders are being targeted by the same group/attack, so I’m sharing what happened for visibility.
Here’s how it went down: The idea is to frustrate the user and hopefully, they slip up and accidentally hit "Allow" instead of "Don't Allow." . If this doesn't work, the attacker might then call the user, posing as Apple Support. During this call, the attacker will attempt to get the user to reveal a one-time password, which can then be used by the attacker to reset the user's Apple ID and lock the user out of their account and devices. It appears that the attack relies on simply having access to the email address and phone number that's associated with the user's Apple ID. According to KrebsOnSecurity, . This requires a user's Apple ID email and phone number. Once that's all filled in, it triggers the notification alert above. That said, it is unclear at this point how attackers are abusing the system to spam a user with multiple notifications. A bug is likely being exploited. Unfortunately, there's no fix for this right now. If you do find yourself being targeted in this attack, . And if you do receive a call claiming to be from Apple Support, know that Apple does not initiate outbound calls to customers unless a customer specifically requests to be contacted. Furthermore, Apple will never ask a customer for one-time password reset codes. Source: via