iPhone Users Targeted with MFA Bombing Attacks – Don’t Tap ‘Allow!’

A sophisticated phishing campaign targeting iPhone users has emerged in recent months, signaling what appears to be a weakness in Apple’s password-reset mechanism – one that may need addressing.

Entrepreneur Parth Patel created a thread on X to share an interesting, albeit unsettling, story about his run-in with hackers.

Using publicly available information on Patel, the attackers bombarded his Apple devices with password-reset prompts – in what infosec aficionados call “push bombing” or “MFA fatigue.”

iPhone system prompts prevent the person from actually using the device – unless the prompt is dealt with, either by approving or dismissing it. In this instance, the attackers issued endless prompts, seconds apart, forcing Patel to dismiss the dialog over a hundred times.

Credit: Parth Patel (@parth220_)

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Credit: Parth Patel (@parth220_)

Then they followed up with a call spoofing Apple Support’s number.

“I pick up the phone and I’m super suspicious,” Patel said. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

The attackers had doxxed Patel using a people-search website called PeopleDataLabs. Patel was vigilant and kept asking the phishers to validate his data – which they did, for the most part, but not his actual name. The reason was PeopleDataLabs had uniquely and consistently listed an inaccurate name as an alias on his consumer profile, according to security journalist and investigator Brian Krebs.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Krebs looked into the matter and found an actual campaign going on, targeting various people with this exact type of attack. One victim allegedly even bought a new iPhone and created a new Apple account but still got attacked – while at the Apple store no less. It appears that, whatever the phishers are abusing to do their deed, it requires finding the victim’s phone number on file for that Apple account.

While there’s no immediately clear way to combat this campaign, iPhone users should always watch out for unsolicited password-reset prompts or phone calls purportedlty from Apple Support. As Apple itself advises, “If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up.”

As some commenters on Patel’s thread have vocalized, this seems to be a weakness in dire need of Apple’s attention. After all, it’s all too easy to:

·      Accidentally tap allow/approve

·      Grow tired of not being able to use your device

·      Believe it’s Apple urging you to change your password for security reasons…

…and the list goes on.

In any case, hitting ‘allow’ gives attackers a window of opportunity to take over your account and:

·      Impersonate you and potentially send malicious messages or emails to your contacts or use your identity for fraud or Ask for a Loan schemes

·      Make purchases using your stored payment methods

·      Access your photos, videos, documents, and other data stored in your iCloud account

·      Remotely wipe the devices associated with your Apple account…

… and more.

So be wary of unsolicited prompts to reset your password, messages demanding that you provide personal data, or unsolicited SMSes containing one-time authentication codes. When in doubt, contact Apple Support yourself, even if you have to use a different phone, and demand clarifications.

Always keep your software updated, as most updates from Apple include important security patches that keep motivated attackers at bay. For peace of mind, consider using a dedicated security solution on all your personal devices.

Bitdefender Digital Identity Protection scans the web for unauthorized leaks of your personal data and helps you take preemptive measures before disaster strikes.