Multiple requests for Apple ID credentials are reportedly being made to Apple users who are the target of a sophisticated attack.
As reported by KrebsonSecurity, a wave of system-level messages is being sent to Apple device owners, tricking them into resetting their Apple ID password. In an attempt to deceive, an individual posing as an Apple employee will contact the target and manipulate them into surrendering their password.
Apple Users Hit by Password Reset Assault
Every Apple product that businessman Parth Patel owns, including his MacBook, Watch, and iPhone, had their passwords reset. There seems to be a sophisticated phishing effort underway that targets a flaw in Apple's password reset utility.
This attack is also referred to as "Push Bombing," "MFA Fatigue," or "MFA Bombing." Victims receive a multiplicity of "Reset Password" warnings, all of which say, "Use this iPhone to reset your Apple ID password," and provide them the option to agree or deny.
The attacker sends a torrent of alerts to the target, with the expectation that the user would either click Allow by accident rather than using the Don't Allow option, or that they will get so frustrated by the onslaught of messages that they will choose Allow in order to put an end to it.
If the attacker were to select Allow in this scenario, they would be able to reset the password for their Apple ID, which would allow them to access the account.
If the attackers have the target's phone number, they may proceed to a second phase in case that the sheer amount of notifications proves ineffective. The attackers pose as Apple support representatives and make a call to the victim, according to Apple Insider.
Read Also: Baltimore Key Bridge Collapse Likely to Impact US Auto Imports, Exports
Fake Apple Support Scam Targets Users
The attackers call the victim using a phone number they invented to seem like Apple's official customer support number. When the victim is not mindful, they can get an unusually large amount of notifications that seem to be related to an issue and incorrectly think that the caller is genuinely from Apple.
They are then requested to verify their information, and the attacker uses data sources such as websites that supply identification details to "confirm" additional account details.
The victims are then asked to verify their information. As soon as the victim is convinced that the caller is from Apple Support, the attacker can initiate the sending of an Apple ID reset code to the victim. This is done in an effort to convince the victim to divulge the one-time password to the "support agent."
It's possible that a flaw in Apple's password reset tool made this password reset attempt feasible, but it's still unclear whether or not it was effective. Tom's Guide reached out to Apple on behalf of iPhone owners, providing them with some guidance on how to protect themselves against similar attacks.
If you believe that you are the victim of this attack, you must refuse to choose "Allow" on any of the password reset notifications.
Should the improbable happen and you get a call from someone posing as Apple Support, you shouldn't provide them any personal information. Rather, you ought to take Patel's lead and confirm the data they have on you beforehand, Toms Guide reported.