Apple users face barrage of MFA bombing attacks


Apple users are reportedly being targeted by so-called multi-factor authentication (MFA) bombing attacks, also known as push notification spam. Bad actors might be exploiting a bug in Apple’s password reset feature.

During these elaborate phishing attacks, Apple devices are forced to display multiple system-level prompts that prevent the devices from being used until the user responds “Allow” or “Don’t Allow” to each prompt. These are mostly password reset requests.

This kind of “bombing” creates an impression that the device or the user’s account is under attack. The scammers then call the victim – spoofing Apple support in the caller ID – and tell them that they need to “verify” a one-time code.

ADVERTISEMENT

Creating a false sense of trust

A similar phishing campaign was described last week on X by Parth Patel, an entrepreneur who called it a “push bombing” or “MFA fatigue” attack.

Patel only caught wind that something was up when the phishers, pretending to be from Apple, called him Anthony and, finally, asked him for a one-time password even though the message explicitly said: “Don’t share it with anyone.”

If the user supplies that one-time code, attackers can then reset the password and lock the user out or remotely wipe all of the user’s Apple devices.

Patel’s account would also have been breached if he somehow clicked “Allow” on a single password reset prompt, even accidentally. Luckily, Patel said he successfully declined more than 100 notifications before receiving the phone call.

This was naturally suspicious to Patel, a tech industry professional. However, not all Apple users know that the company will never initiate outbound calls to customers – they have to request to be contacted first.

Obviously, this is a massive security risk that Apple needs to fix, but for now, the company isn’t commenting. And yet, MFA bombing has consistently allowed hackers to execute successful attacks.

ADVERTISEMENT

For example, the criminal teen hacking group LAPSUS$ used MFA bombing to great effect to breach Cisco, Microsoft, and Uber. More recently, the Los Angeles Department of Mental Health has also fallen victim to a MFA attack.

Extra vigilance needed

Michael Covington, VP of Portfolio Strategy at Jamf, a company providing security solutions for an Apple-first environment, says consumers have to be extra vigilant.

“MFA bombing presents a challenge to any targeted user as they are forced to sift through a deluge of notifications with the fear of being victimized further if just one mistake is made,” said Covington.

“What they don’t realize, however, is that this attack is typically preceded by a successful compromise of the user’s credentials, thus allowing a hacker to initiate the sign-in process.”

Users must then safeguard the second authentication factor which is often a PIN code, required to complete the account access or password reset. As the spoofing of the authentic Apple customer support phone number has shown, they can’t trust anyone.

Quite literally millions of two-factor authentication codes, sent as SMS messages by tech giants, were leaked online to anyone without any authentication, security researcher Anurag Sen recently found. The codes were held in a database belonging to YX International, an SMS routing service.

According to Covington, users need to always keep their software updated and, of course, try to initiate the call to customer support themselves.

“If you must receive the call, utilize verification questions to confirm you are speaking with a legitimate agent of the service in question,” said Covington.

“Just as users are asked to answer verification questions to recover forgotten passwords, anyone attempting to gain access to your account should go through a similarly rigorous process to ensure they are authorized to do so.”

ADVERTISEMENT

Subscribe

Shopify plugins leaked data from nearly 2K stores

Musk's AI chatbot Grok now comes with X Premium subscription

Apple Worldwide Developer Conference – June dates confirmed

Meta urged to lift ban on Arabic word for ‘martyr’

Giant Tiger customers exposed via third party

Subscribe to our newsletter

ADVERTISEMENT