Some Apple users have reported phishing attacks using the password reset feature.
You notice a system prompt on your iPhone about your password. You click “Don’t allow.” Then it happens again and again, one after the other. At some point, you might get annoyed or start to panic and click “Allow.”
Then, you get a phone call with an “Apple rep” to help you reset your password, but when they confirm your information, you notice that they got your name wrong. That’s exactly what happened to one man who was lucky enough to notice the charade before it was too late.
If he hadn’t figured out something was off, he would’ve been locked from his account while the attackers got to all his personal information. This is the goal of this new mode of phishing attack called MFA bombing or push bombing.
What is MFA bombing
MFA bombing or push bombing is a new phishing technique that reveals a sophisticated evolution in tactics–it exploits both technological vulnerabilities and human psychology.
The attackers bomb the system with prompts, flooding the user’s device until they feel “notification fatigue.” Once overwhelmed, the victim is more likely to mistakenly approve a malicious request.
How does it affect Apple users
Following the burst of prompts, the user receives a phone call from someone claiming to be from Apple Support. The phone number displayed may be spoofed to appear as Apple's official support number, adding a layer of perceived legitimacy to the call.
During this call, the “Apple rep” will inform the user that their account is under attack or at risk, feeding into the user's sense of urgency and fear. Then, they’ll go for the phishing pitch. The attackers will claim that to secure the account, they need to "verify" the user's identity or account status using a one-time password that Apple has supposedly sent to the user's device.
If convinced, the user may provide the one-time password to the caller. This password is a critical piece of information that, under normal circumstances, is used to confirm the identity of the account holder during a legitimate password reset or account unlock process.
Once the attacker obtains the one-time password, they can complete the password reset process. This would effectively lock out the legitimate user while the attackers access the user's Apple ID and linked services.
How to protect your devices
To defend against such attacks, it's crucial to:
- Remember to click “Don’t allow” to prompts you didn’t request. If you notice these keep coming up, report them.
- Be skeptical of unsolicited calls asking for sensitive information, even if they seem to come from a legitimate source.
- Always verify the identity of the person you're speaking with. If something feels off, hang up and call an official support number found on the company’s website.
- Use additional verification steps, like setting up a recovery key as suggested by Apple, to add additional layers of security to your account.
Measures to mitigate phishing attacks
As attackers refine their strategies, the industry must continually adapt its defenses. To subdue these types of attacks, tech companies need to review their system design, restricting the number of password requests one can make.
Also, continually sharing information about such threats and effective countermeasures across the industry are vital for staying ahead of attackers. Addressing these issues as soon as they arise makes a real difference–both users and tech providers need to report them.
Adapting our defenses
While the specific vulnerabilities and attack methodologies may change, we must keep working to get the upper hand. It’s essential to continually improve systems, report what’s happening, and implement strong security measures.