Several Apple customers have reported being targets of complex phishing schemes exploiting what looks to be an apparent glitch in how many times a password reset can be made.
Victims will get bombarded with system-level prompts on their Apple devices, requiring action to make the messages go away. Scammers then up the ante in this attack by impersonating Apple support and calling users.
Entrepreneur Parth Patel encountered a “push bombing” or “MFA fatigue” attack on March 23, where his Apple devices were flooded with alerts to approve a password change. “All of my devices started blowing up, my watch, laptop, and phone,” Patel shared with KrebsOnSecurity, detailing the pop-ups he had to manually decline.
The attackers further tried to trick victims by calling them, spoofing Apple’s support number, and providing accurate personal info, except for the victim’s real name. Scammers use people-search websites to get info but in this case had Patel’s first name wrong. These scammers are pretty good at their research it seems.
Similarly, cryptocurrency hedge fund owner Chris experienced numerous password reset notifications and a suspicious call claiming to be from Apple support. After changing his passwords and even buying a new iPhone, he continued to get alerts, suggesting the phishers might be exploiting knowledge of the phone number associated with the Apple account.
Another use also reported unsolicited system password reset alerts on his Apple devices. Even after taking preventive measures advised by Apple, including enabling a Recovery Key, this user Chris continued to get the alerts.
Investigations into these incidents hint at a possible flaw in Apple’s system that fails to limit the rate of password reset prompts, possibly allowing attackers to exploit this vulnerability to ramp up phishing attacks.
This phishing tactic resembles what was being used by the hacking group LAPSUS$ in 2022, prompting companies like Microsoft to implement additional authentication measures. Security researcher Kishan Bagaria suggests that Apple might need to address a rate limiting bug similar to the one he reported in 2019 related to AirDrop requests.
Again, one should never, ever give out a six-digit 2-factor code to anyone, whether it’s Apple or anyone else. Companies and banks will never ask for 2-factor codes.
