Photo of Young Woman Using iPhone and Wearing iWatch
© Andrii Nekrasov/Shutterstock.com
No AI-generated content: this article is written and researched by humans
Table of contents

Threat actors are targeting Apple users in an “elaborate phishing scam” that involves sending a barrage of fake password reset prompts to their devices.

Some affected users told researcher Brain Krebs that they received a call from a fake Apple Support representative after declining the prompts. The scam is designed to get Apple users to share a one-time access code that would allow threat actors to change their passwords and hijack their accounts.

‘Push Bombing’ Attack

Imagine your phone, tablet, and computer all screaming for attention at once, urging you to click “Allow” or “Don’t Allow” over and over — for several days in some cases. This isn’t just annoying; it’s a phishing tactic to wear you down and get you to click “Allow.”

In a blog post on Tuesday, Krebs explained that it’s easy for Apple users to mistakenly approve one of these password reset prompts. But, even when victims assiduously review these notifications and decline every one of them, they receive a call from Apple’s real customer support number — presumably via caller ID spoofing.

Cryptocurrency hedge fund owner Chris told Krebs that he was getting notifications on his device for days on end, after which he received a call on his iPhone from “Apple Support.” However, it did not take long for him to realize something was off, and he hung up.

Chris said he then “called back to the real Apple,” who couldn’t confirm whether he was on a support call earlier. “They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted,” he told Krebs.

Leaked Personal Data and Apple Bug

The threat actors behind this phishing scam may be using leaked or stolen personal information to identify and target victims.

In Chris’ case, he continued to receive these push notifications even after buying a new iPhone and creating an Apple iCloud account using a different email address. Chris said he suspects the threat actors are using his phone number to target him, as that’s the only thing he didn’t change.

Another victim, Parth Patel, an entrepreneur in the AI space, said the fake Apple rep caller provided accurate personal information about him, except for his real name. He suspects the scammers got his information from a people-search website called PeopleDataLabs, where there’s a profile of him under a different name.

Multi-factor authentication (MFA) spamming or push bombing isn’t new. Threat actors used this scheme to target Microsoft Office 365 users in 2022. However, most platforms have a rate limit that determines how many notifications can be sent to users within a given timeframe.

Krebs said there might be a bug in Apple’s password reset feature that is allowing threat actors to inundate targets with password reset notifications. “I think this could be a legit Apple rate limit bug that should be reported,” security researcher Kishan Bagaria told Krebs.

How to Protect Your Device From Push Bombing Attacks

Krebs recommends taking these steps to protect your device from MFA bombing:

  • Switch to a VOIP Number: Consider using a Voice Over Internet Protocol (VOIP) number, like Google Voice, for your Apple account. It’s less likely to be tied directly to your personal info, giving you an extra layer of anonymity. However, making this switch might affect some Apple services like iMessage and Facetime.
  • Create Email Aliases: Simply add a “+” sign and a unique identifier to your email username when signing up for services. This trick makes it harder for scammers to guess your actual email address. Just remember, the key here is subtlety, so avoid obvious choices like “+apple” for your alias.

We also recommend these additional security measures:

  • Enable MFA on your Apple ID.
  • Enable a Recovery Key on your Apple device.
  • Enable FileVault on your Apple devices.
  • Learn about social engineering tactics and how to spot them.
  • Use a data removal tool, like Incogni, to wipe your personal information from the databases of data brokers and people-search sites.

For more news, follow us on X (Twitter), Threads, and Mastodon!

Leave a comment