iPhone users are somewhat accustomed to the occasional Apple ID password prompt on their iPhones, but a new phishing attack might have them thinking twice before mindlessly inputting their most valuable password. As outlined by Krebs on Security, Apple customers are being targeted in a “push bombing” or “MFA fatigue” phishing campaign where attackers repeatedly push two-actor authentication notifications to Apple devices.
As documented in a Twitter/X thread by Parth Patel, all of his Apple devices started “blowing up” with push notifications telling him to reset his Apple ID password. All said he had to clear some 100 notifications before the attack ended. While Patel knew better than to fall for the notification, other Apple users might not be so lucky, especially when their devices are bombarded with requests.
Apple’s Forgot Password page lets users request multiple password resets and sends a notification to all of your devices each time.
Apple’s Forgot Password page lets users request multiple password resets and sends a notification to all of your devices each time.
Foundry
Apple’s Forgot Password page lets users request multiple password resets and sends a notification to all of your devices each time.
Foundry
Foundry
The notifications look real because they are real. The attackers seem to be exploiting “a bug in Apple’s systems” that sends legitimate notifications to all Apple devices logged into that Apple ID when someone tries to reset a password via Apple’s “Forgot Password?” page. The unsophisticated attack doesn’t appear to require much information other than a phone number and email address, and Apple’s system allows someone to repeatedly request a password reset with the hope that one of the requests will be allowed.
Then the user will receive a follow-up phone call from “Apple support” (spoofed as coming from Apple’s own support number, 1-800-275-2273), telling them that their account is under attack and they need to verify a one-time code. Once the attackers receive that code, they can reset your password and break into your Apple ID.
A separate user reports getting a similar alert on his Apple Watch that was suspicious enough for him to turn on his Apple ID’s recovery key, which is a “randomly generated 28-character code that helps improve the security of your Apple ID account by giving you more control over resetting your password to regain access to your account.” However, while recovery keys should make it difficult for the attackers to change your Apple ID password, it won’t stop the notifications from coming in.
Until Apple responds with a fix, the best you can do to stop the attack is to repeatedly cancel or tap “Don’t Allow” for any password reset notifications that you didn’t initiate. And as always, never give someone a two-factor code even if they say they’re from Apple.
