Apple users are facing a sophisticated phishing scheme that exploits a vulnerability in the password reset function, inundating devices with a deluge of system notifications, rendering the smartphone unusable until each notification is addressed.
Entrepreneur Parth Patel fell victim to this attack and shared his ordeal on Twitter, detailing how his devices, including his hours, laptop, and phone, were bombarded with notifications regarding password change approvals.
Some of the notifications Patel received simultaneously included multiple password reset requests. Despite ignoring all reset requests from Apple, Patel received a call purportedly from Apple support, with the caller ID matching the genuine support line. However, the caller failed to provide Patel’s correct name, instead using a name associated with Patel on a search site.
The scammers’ objective is to obtain a one-time Apple ID reset code, enabling them to change the password and lock the owner out of their account, potentially wiping all data remotely from the victim’s device.
This method, known as MFA Bombing (MFA Fatigue), exploits flaws in the multi-factor authentication system, inundating the victim’s device with a constant stream of notifications. These attacks are particularly potent when the attackers possess knowledge of the phone number linked to the Apple account.
In response to the rising threat of MFA Bombing, Microsoft has begun implementing enhanced security measures, such as the MFA number verification feature, which mandates users to input numbers displayed on the screen into the authenticator app to validate system access.
Experts are urging Apple to bolster security protocols and consider implementing restrictions on the frequency of password reset requests to thwart such attacks in the future. Despite concerns raised by users regarding the safety of their personal data and devices, Apple has not issued any comments on the situation at the time of reporting.
* The social network referenced is inaccessible in the Russian Federation.