[German]Users of Apple devices (iPhone, Apple Watch, Macs) are probably being targeted by a wave of attacks known as "MFA bombing". The aim of the attackers is to take over the victims' Apple accounts through a wave of password reset requests. Careless users and a flaw in Apple's password reset mechanism are said to be facilitating this.
Advertising
Security reporter Brian Krebs has made the facts public on Krebs on Security in the article Recent 'MFA Bombing' Attacks Targeting Apple Users. According to Krebs, several Apple users have reported in recent days that they have been the target of a sophisticated phishing attack. Dozens of system-level prompts to reset the password appear on the victims' systems. The pop-up prevents the device from being used until the user closes the dialog with "Allow" or "Do not all.
A documented case
Krebs mentions the case of Parth Patel, an entrepreneur who is building a startup in the field of conversational AI. Parth Patel documented the attack in a series of tweets on March 23, 2024 – the screenshot shows an excerpt.
Parth Patel wrote that he had been the target of a sophisticated phishing attack on his Apple ID the previous evening. It was a very elaborate, concentrated attempt to attack his Apple ID account in order to take it over. Other founders had been targeted by the same group/attack. Therefore, he shared what happened to inform the public.
The campaign started around 18:36 local time when all his Apple devices suddenly showed password reset notifications. The system pop-ups in question can only be closed with "Allow" or "Do not allow" and the device cannot be used. The affected person wrote that he did not use his phone, watch or laptop until he had selected "Do not allow" for over 100 notifications.
Advertising
He initially thought someone was trying to screw him – but he was thoughtful enough to close all the popups asking for a password reset via "Do Not Allow". But about 15 minutes later, someone called him at my number, displaying the caller ID of the official Apple support phone number (1 (800) 275-2273). This was to gain trust from the victim, with the caller ID of the official Apple support phone number spoofed by spoofing caller IDs.
Parth Patel was suspicious of the many pop-ups and asked the caller for verification. The caller was probably typing in the background and answered the victim's questions. Many of the answers to questions about date of birth, e-mail address, telephone number, current address and previous addresses were given correctly. But the attackers accessed People Data Labs' OSINT data, where the records for the business owner could be found.
Fortunately, the victim smelled the scam because the caller probably made a mistake and thought the victim's name was Anthony S. – a statement Parth Patel found when he queried his own OSINT data. People Data Labs seems to show three profiles when you search for the entrepreneur.
Finally, the attackers wanted the victim to give them a one-time password (OTP) displayed on the device – whereby this code is sent to the victim's system by Apple. However, the message contains the instruction not to disclose this code to anyone. If the victim had confirmed the "Authorize" button once during this attack with the password reset prompts or passed on the OTP code, the account would have been taken over.
Parth Patel writes that other friendly founders were also affected by this attack. Fortunately, none of them became victims. The aim of the attackers, who are probably going to great lengths to claim that the user's account is under attack and that Apple Support needs to "verify" a one-time code using a fake Apple Support caller ID, is to take over the victim's Apple ID accounts in question.
Further cases and details
In his article, Brian Krebs reports on other recent cases that have followed the same pattern. One victim went so far as to buy a new iPhone in an Apple store and create a new iCloud account with a new email address. However, the eSIM was registered with his phone number on the new device. While he was still sitting in the local Apple Genius Bar, he again received the system warnings to reset the password on his new iPhone and iCloud account.
The Apple employees were unsure why the attackers were able to send the notifications to the new device immediately. However, the attacker assumes that the phone number is the key to generating the password reset messages on the victim's systems – because the phone number was the only parameter that had not changed on the new iPhone.
Another source from the security industry, who wishes to remain anonymous, told Brian Krebs that he received password reset notifications on his Apple Watch "in the middle of the night at 00:30" in early 2024, even though he had set it to silent for alarms. There, he had to turn the iWatch's dial to see and press the 'Do not allow' button.
As this person had worked in the security industry for some time and feared that he would lie down on the watch in his sleep and thus inadvertently give the attacker permission to reset the password, he contacted Apple support. There he was finally referred to a senior Apple technician who told him that there was a recovery key as an optional security function. According to Apple, this is intended to "improve the security of your Apple ID account".
It is a randomly generated 28-character code that is supposed to deactivate Apple's standard recovery process when the recovery key is activated. However, activating the code is not easy, and anyone who loses the code will be permanently locked out of all their Apple devices, Krebs quotes this user as saying.
The hope was that this recovery key would stop the password reset requests. But both this person and Brian Krebs found that even the recovery key does not change the fact that third parties can send a password reset request to the connected Apple devices. The Apple "Forgot password" page (*ttps://iforgot.apple.com) can be misused for this purpose.
The attacker only needs to enter an e-mail address and solve a CAPTCHA. The last two digits of the phone number linked to the Apple account are then displayed on the page. If the attacker enters the missing digits, they can use "Send" to trigger a system warning to reset the password on the devices associated with the Apple ID (regardless of whether the user has activated an Apple recovery key or not).
Krebs justifiably asks the question, which reasonably designed authentication system allows to send tens of requests for a password change within a short period of time if the first requests have not even been answered by the user? Krebs therefore raises the question of whether this type of attack could be due to a flaw in the design of Apple's password reset system? Apple has not yet responded to requests for comment.
Advertising
