A sophisticated phishing campaign is targeting Apple device owners in an alarming new way – by exploiting what appears to be a vulnerability in the company’s password reset mechanism.

The multi-factor authentication (MFA) “bombing” attack inundates victims’ iPhones, Apple Watches, and Macs with a torrent of password change approval requests, rendering their devices essentially unusable. If users inadvertently allow one of these prompts, the attackers can hijack their Apple accounts.

This insidious scheme’s combination of technical exploitation and social engineering highlights how something as benign as a password recovery feature can be weaponized.

A Relentless Password Reset Request Scheme

The onslaught begins with a flurry of system notifications across all Apple devices owned by the target. These prompts ask for approval to reset the Apple ID password and they keep coming in rapid succession – in some cases over 100 within minutes according to victims.

Because the requests are at a system level, dismissing them is the only way to temporarily regain device access.

Entrepreneur Parth Patel documented his recent experience being bombarded in this “push bombing” attack, as the security world calls it. His iPhone, Apple Watch, and laptop were essentially frozen by the unending password prompts.

 

“All of my devices started blowing up… It was like this system notification from Apple to approve [a reset],” Patel told KrebsOnSecurity. “I had to go through and decline like 100-plus notifications.”

The barrage seems designed to frustrate victims into simply tapping “Allow” at some point, giving control to the attackers. However, even the most stubborn dismissal efforts don’t seem to put an end to the attack.

Impersonating the Mothership

After enduring the push notification deluge, some victims then receive calls from numbers displaying as Apple’s real customer support line. The callers, impersonating Apple staff, claim that the user’s account was compromised and they need to “verify” the reset with a one-time code. Note that you should never trust a caller based solely on the number they are calling from as they can be easily ‘spoofed’ to trick you.

Patel was suspicious when his phone showed Apple’s 1-800 support number. He interrogated the caller, who surprisingly revealed accurate personal details obtained from data brokers like PeopleDataLabs. The fake rep slipped up referencing an incorrect name, tipping Patel that this was a phishing attempt.

“After hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate”, with the only exception of his real name, said Patel.

The goal is convincing the victim to read out the password reset code sent in an automated message by Apple. With that brief code, attackers can seize full account control from anywhere.

Exploiting Password Reset Design?

Security researchers believe that the paralyzing push notification blasts could be abusing an Apple design flaw. When users request an account password reset at iforgot.apple.com, the site asks for their email and a CAPTCHA, then shares the phone number’s last two digits.

apple users receive push notification in ellaborate phishing attack

Completing the remaining digits and submitting triggers a notification across all associated devices.

The system seemingly lacks protection preventing repeated and malicious requests from flooding victims. By simply exploiting the password reset process, criminals can overwhelm users without additional hacking needed.

“I think this could be a legit Apple rate limit bug that should be reported”, said researcher Kishan Bagaria, who found a similar Apple (AAPL) vulnerability in 2019.

The phone call impersonation is a concerning escalation as well. Many may be fooled to give the attackers accurate personal intel and spoofing abilities. As Apple itself warns, the company will never make these types of calls without reason to ask for passwords or codes.

Who Are the Attackers?

The specific group behind this MFA bombing wave is unclear. However, the complex, multi-pronged approach suggests that they are skilled cybercriminals with ample resources and not just opportunistic scammers.

Obtaining personal data from brokers allows hackers to build detailed target profiles to craft convincing pretexts. The concerted push notification spamming may betray technical knowledge to exploit platform vulnerabilities. Meanwhile, the voice phishing attempt, also known as “vishing,” through sophisticated caller ID spoofing is a well-honed technique among criminal groups.

Some high-profile victims speculate that the attackers may be tied to shady data vendors like PeopleDataLabs, seeking account passwords to fuel their lucrative businesses. However, their motive could simply be financial fraud via account takeovers against wealthy individuals and businesses who rely heavily on Apple’s services.

Also read: Phishing 101: How It Works & What to Look For

While the exact identity of the attackers remains unknown, their level of sophistication points to an experienced criminal operation rather than a one-off scammer.

6 Steps to Protect Yourself

apple device asked for one time code

Staying vigilant and skeptical is paramount amidst this advanced operation exploiting trust in legitimate companies like Apple. Experts recommend the following defensive measures if you are targeted by this or other similar schemes:

  1. Never share one-time passwords or authentication codes with anyone over the phone, no matter how convincing the caller sounds. Apple has stated clearly that it will never request these from customers.
  2. If hit by system password prompts that you didn’t initiate yourself, do not give in and tap “Allow”. If you’re hit with a barrage of attempts, just keep dismissing them patiently or try to ignore them entirely.
  3. Consider changing the phone number associated with your Apple ID to a Google Voice or other VoIP line that’s not publicly known. This could disrupt the attack flow that seems to rely on accurate mobile numbers.
  4. Create unique email aliases for different online accounts with a + extension ([email protected]). This allows tracking which alias was compromised if targeted.
  5. Use a trusted password manager to enable stronger and unique credentials for all accounts. Protect your Apple ID credentials like you would for online banking.
  6. Limit the exposure of your personal information by opting out of data broker sites that sell user profiles. The less available data there is about you, the harder you are to phish convincingly.

Apple’s Response Needed

While vigilance is key, the burden ultimately falls on Apple to resolve what appears to be a fundamental security gap. Even enabling advanced account protections like a Recovery Key failed to stop the oppressive notifications in some reported cases.

Apple did not respond to requests for comment from KrebsOnSecurity regarding the suspected vulnerability. However, rate limiting or requiring additional verification for repeated password reset requests seems like an obvious defense that the company should immediately adopt.

As our digital identities become more exposed to the systems owned by tech giants like Apple IDs, Google accounts, and others, their security can never be taken for granted. Any intervention during an authentication process like password resets carries the outsized risk of enabling full account takeovers from bad actors.

The rise of targeted, multi-vector MFA bombing highlights the need for constant vigilance and scrutiny of core platform mechanisms by both companies and individuals. Otherwise, even well-intentioned recovery features could be an open door for relentless attackers.