If you're getting dozens of password reset notifications, you're being attacked
Apple users are becoming the target of a new wave of phishing attacks called "MFA Bombing" that relies on user impatience, and a bug in Apple's password reset mechanism.
An example of the Apple ID password reset notification
Phishing attacks often rely on users supplying information to an attacker or allowing them to do something to their account, often via an email, text message, or other messaging means. A recently discovered phishing attack has used a new route to make victims fall for it, by using Apple's password reset system.
Dubbed "MFA Bombing," "MFA Fatigue," or "Push Bombing," the attack detailed by Krebs on Security is an elaborate phishing attack that appears to revolve around a bug in the password reset feature. Victims are inundated by "Reset Password" notifications, including the text "Use this iPhone to reset your Apple ID password," and the options to allow or reject the request.
This notification is genuine. It is usually displayed once to the user when they attempt to reset their Apple ID password, as a form of multi-factor authentication on an iPhone, Mac, iPad, or Apple Watch.
The problem with the attack is that the attacker is bombarding the target with so many notifications. It is hoped the user will either accidentally select Allow instead of Don't Allow, or will be annoyed by the deluge of notifications that they will select Allow in order to make it stop.
In this instance, selecting Allow would let the attacker reset the Apple ID password, granting access to the account.
Notifications, then calls
If the sheer number of notifications doesn't work for the attackers, a second phase can occur, if they know the target's phone number.
The victim is called by the attackers, posing as Apple Support, with the calling phone number spoofed to display Apple's actual customer support number. After an unusual number of notifications that may seem like a bug, an unwary victim may believe the caller is genuinely from Apple itself.
Last night, I was targeted for a sophisticated phishing attack on my Apple ID.
This was a high effort concentrated attempt at me.
Other founders are being targeted by the same group/attack, so I'm sharing what happened for visibility.
Here's how it went down:-- Parth (@parth220_)
Victims are then asked to verify their information, with the attacker using data sources such as websites that offer identity details to "confirm" other account details, all to be more convincing.
Once the victim believes the caller is Apple Support, the attacker can then trigger for an Apple ID reset code to be sent to the victim, in a bid to get them to reveal the one-time password to the "support agent." Again, this allows the attacker to reset the account password and lock the user out.
Not easily avoided
In the case of one Apple user who was hit by the notifications across multiple days and was concerned about how easily they could've granted an attacker access, they contacted the genuine Apple Support about the issues, and was escalated to a senior Apple engineer.
The engineer advised that enabling an Apple Recovery Key would prevent an attacker from using the standard account recovery process. This entailed the generation of a 28-character code that would be used for account recoveries.
However, despite having it enabled on their account, the password reset notifications continued to flow.
Apple did not respond to Krebs' requests for comment about the issue.
It is unknown whether Apple actually knows about the possible notification bug in the password recovery system. However, it has previously dealt with a similar notification issue.
In 2019, an exploit called "AirDoS" allowed an attacker to constantly spam nearby iOS devices with a prompt to share a file via AirDrop. The issue was fixed in iOS 13.3, four months after its discovery, with Apple adding stricter rate limiting to AirDrop requests.
How to protect yourself from MFA Bombing
Apple users facing such an attack have a few opportunities to ward off the attack. But, at this time, the notifications cannot be stopped from coming through.
Victims do have to be vigilant and to select "Don't Allow" every single time it appears.
If the attackers call up pressing for the code, the best practice is to tell them that you will call them back, via the official Apple support number. Apple also will not provide customer information over the phone as a form of verification, which is another indicator that the caller isn't genuine.
Enabling the Apple Recovery Key is a more extreme option that will help ensure the account password reset cannot be performed by an attacker. It does require you to hold onto a lengthy passcode to perform the action for yourself in the future -- and as the notification for it says, the code shouldn't be provided to anybody, even on request.
Read on AppleInsider
Comments
Not just Apple of course. Google sent me a notification that someone was claiming ownership of my web domain, and they wanted to confirm the transfer before doing anything.
I also suggest this advice for emails. The only time I click on account links in an email is if I've explicitly just requested it from the account. Otherwise, when they send me something, I will go to my app or Favorited URL. If the info isn't in my account it's not real.
On a similar topic, I’ve been struggling to find a way to filter out Apple mail messages based on spoofed sender identifiers that follow a similar pattern, like “PayPal ©”. I’ve been getting numerous emails that follow this pattern, mostly for subscriptions I don’t even have but some I do. Using Apple Mail’s filtering feature is of no avail since the “From” filter doesn’t interpret the spoofed identifier but uses the hidden sender address, which is a randomized address. Sure, I can simply Block each one individually, but I’d like to have a bigger hammer to crush all emails that follow a pattern in the spoofed identifier. I already have hundreds of Blocked senders. To add insult to injury the message content in these phishing emails is one big image that contains a single link to the phisherman’s nefarious website. These images all contain what looks like text, but it’s just an image of text so you can’t filter based on the text either. I know Apple can pull text out of images, but that functionality isn’t part of Apple Mail or the filtering mechanism.
This never ending game of whack-a-mole is getting tiresome.
After becoming aware of this update which can only be done via cable connection to your Mac and consulting a few others in the field I decided to apply it. On connecting my iPhone 13 Pro Max currently running 17.4.1 to my M1 MBP and checking for updates there was indeed an update.
I dutifully clicked "Update" and the download commenced. On completion of the download installation began and proceeded roughly halfway before I received a Notification:
The problem with this was the only option offered was to click "OK" resulting in; "There is a problem with the iPhone "iPhone", which requires it to be updated or restored." And in the resulting dialogue I get; "The iPhone "iPhone" could not be restored. An unknown error occurred (9)."
This put me into a loop. Ejecting the iPhone resulted in DFU mode and reconnecting it put me back to, "There is a problem with the iPhone "iPhone", which requires it to be updated or restored." Note the iPhone is now called, "iPhone", not "Rod's iPhone 13 Pro Max".
The only way I was able to get out of this was to employ a third party app that I had previously used to backup my iPhone and I was able to restore it using that.
So, maybe I was just unlucky, a number of other people I've spoken to have successfully applied this "revision" although they all note it took an inordinately long time.
My point is, until this revision is released as an OTA (Over The Air) update I advise caution using it. I nearly "bricked" my iPhone and I wouldn't want others to suffer the same fate.
In the mean time as regards the MFA bombing attack you can always simply decline the offer to change your password as per this article on 9to5Mac;
https://9to5mac.com/2024/03/28/protect-against-iphone-password-reset-attacks/