According to KrebsOnSecurity, Apple customers are being targeted in a series of elaborate phishing attacks leveraging what seems to be a bug in the company's password reset feature. Victims report an onslaught of system-level prompts on their Apple devices, asking them to allow or deny password reset requests. These prompts render the devices unusable until the user responds to each one.
Entrepreneur Parth Patel, who is building a startup in the conversational AI space, shared his experience on Twitter/X, describing the attack as a "push bombing" or "MFA fatigue" attack. "All of my devices started blowing up, my watch, laptop, and phone," Patel told KrebsOnSecurity. "It was like this system notification from Apple to approve [a reset of the account password], but I couldn't do anything else with my phone. I had to go through and decline like 100-plus notifications."
After denying the password reset prompts, Patel received a call from a person claiming to be from Apple Support, who provided accurate personal information, except for his real name. The caller used a name Patel had only seen in background reports about him, suggesting the attackers had access to detailed personal data.
Cryptocurrency hedge fund owner Chris, who preferred to keep his last name private, also faced a similar attack. After receiving numerous reset notifications and a suspicious call from "Apple Support," Chris took drastic measures by changing his passwords and purchasing a new iPhone, only to continue receiving alerts even at the Apple Genius Bar.
Security industry veteran Ken reported being woken up at 12:30 a.m. by an alert on his Apple Watch. Concerned about the potential for accidental approval of malicious requests, Ken contacted Apple support and was advised to enable an Apple Recovery Key to halt the notifications. However, this measure proved ineffective.
Michael Covington, VP of Portfolio Strategy at Jamf, commented on the issue, stating, "MFA bombing presents a challenge to any targeted user, as they are forced to sift through a deluge of notifications with the fear of being victimized further if just one mistake is made." He emphasized that such attacks are often preceded by the compromise of the user's credentials and advised users to keep their software updated and to initiate calls to customer support themselves whenever possible.
The attacks exploit a potential bug in Apple's systems, allowing attackers to bypass rate limits on password reset requests. Apple has yet to respond to inquiries regarding the matter. This incident raises concerns about the security of multi-factor authentication systems and the need for users to remain vigilant against increasingly sophisticated phishing attempts.