Apple Users Being MFA Bombed!

Multi-factor authentication (MFA) bombing attacks aim at Apple users.

Numerous Apple users have recently reported falling victim to sophisticated phishing schemes exploiting what seems to be a flaw in Apple's password reset functionality.

In these instances, users find their Apple devices bombarded with numerous system-level prompts, effectively rendering the devices unusable until the user responds to each prompt with either "Allow" or "Don't Allow." If the user manages to navigate through the barrage of prompts without inadvertently granting access, scammers proceed to contact the victim, posing as Apple support representatives through caller ID spoofing. They claim the user's account is compromised, urging them to verify a one-time code purportedly sent by Apple support.

"All of my devices started blowing up," explained Patel, an entrepreneur in the AI space. "I received this series of system notifications from Apple to approve a password reset, but I couldn't use my phone for anything else. I had to go through and decline over a hundred notifications."

In the face of such a relentless barrage, some individuals may eventually succumb to the constant password reset requests just to regain access to their phone. Alternatively, others might inadvertently approve one of these prompts, which also pop up on an individual's Apple Watch if they own one.

However, the perpetrators behind this scheme had a trump card: Patel disclosed that following his rejection of all the password reset prompts from Apple, he received a call on his iPhone purportedly from Apple Support (displaying the number 1-800-275-2273, Apple's genuine customer support line).

"I answered the call with a high level of suspicion," Patel recounted. "I proceeded to verify some personal information with the caller, who responded with rapid typing sounds and proceeded to provide me with incredibly accurate details about myself."

Yet, there was a crucial discrepancy - his actual name. Patel revealed that when he requested the fake Apple support representative to confirm the name associated with his Apple account, the caller provided a name that did not match his own but rather one that Patel had only encountered in background reports available for purchase on several people-search platforms.

If Unsure: Disconnect, Verify, and Return the Call

"I said I would call them back and hung up," Patel recounted. His response demonstrates a crucial lesson in dealing with unexpected solicitations: always verify before taking action. When he contacted Apple directly, they confirmed a critical point: Apple never initiates outbound calls to customers unless explicitly requested.

This incident underscores the necessity for all internet users to exercise caution and skepticism when encountering unsolicited communications. Whether it's an unexpected email, text message, or phone call, it's essential to pause, verify the authenticity of the communication, and refrain from sharing personal information or taking action until you're certain it's legitimate.

What actions can Apple take?

What logically designed authentication system would generate numerous password change requests within a short timeframe, especially when the initial requests haven't been addressed by the user? Could this indicate a flaw within Apple's systems?

It seems like there might be a legitimate rate limit bug with Apple's system that needs to be reported.

Keys to protecting yourself:

1. Awareness of MFA Bombing Attacks: Understand that sophisticated phishing schemes, known as Multi-factor Authentication (MFA) bombing attacks, target Apple users. Be alert to sudden influxes of system-level prompts on your devices.
   

2. Be Skeptical of Unsolicited Communications: Exercise caution when receiving unexpected communications, especially those requesting personal information or verification codes. Verify the authenticity of such messages before taking any action.
   

3. Stay Cautious of Caller ID Spoofing: Scammers may attempt to deceive you by spoofing genuine customer support line. Don't trust caller IDs blindly; instead, remain skeptical and verify the legitimacy of the call.
   

4. Practice Safe Response Protocols: In the event of suspicious communications or prompts, adopt a cautious approach. Disconnect from the communication, verify its authenticity through official channels, and refrain from sharing personal information hastily.
   

5. Report Suspicious Activity: If you encounter suspicious communications or believe you're a victim of a phishing attempt, report it to relevant authorities or the platform involved. By reporting such incidents, you contribute to the collective effort to combat cyber threats.