Several Apple customers have fallen victim to a cunning scheme exploiting what appears to be a flaw in Apple’s password reset feature. The attackers employ a multi-step strategy that combines overwhelming system prompts with deceptive phone calls, demonstrating an alarming level of social engineering expertise.
The attack, reported by Krebs on Security, reveals a tactic dubbed ‘push bombing’ or ‘MFA fatigue’ attack, where phishers inundate targets’ Apple devices with a barrage of system-level prompts to approve a password or login.
This tactic aims to overwhelm users making them more likely to inadvertently approve a malicious prompt or divulge sensitive information out of frustration.
Security experts warn that these attacks leverage a combination of technical vulnerabilities and psychological manipulation to bypass security measures such as multi-factor authentication (MFA) and exploit users’ trust in official support channels.
One such victim, Parth Patel, shared his experience on X, detailing how his Apple devices were bombarded with notifications demanding approval for a password reset. Patel described the ordeal as a relentless barrage that rendered his devices temporarily unusable, forcing him to decline numerous attempts.
The attackers didn’t stop there. After bombarding Patel with system notifications, they proceeded to call him, masquerading as Apple Support and claiming his account was under attack.
The primary objective of the attackers is to lock out the victim’s Apple device by providing a one-time password. If the unsuspecting victim enters the code sent by attackers, they can then reset the password and lock the device. Furthermore, they can demand a ransom from high-profile individuals or can wipe out the entire phone data.
This added layer of deception, combined with accurate personal information obtained through online sources, further enhances the credibility of the scam and increases the likelihood of the victim falling for it.
Another victim recounted a similar experience, receiving a barrage of reset notifications and a subsequent call from fake Apple Support. However, the victim refused to engage with the caller and instead sought assistance from legitimate Apple channels. This prevented further compromise of the victim’s accounts and devices.
Despite several efforts by the victims to mitigate the attacks, including enabling Apple’s Recovery Key feature, they continue to report persistent system alerts and phishing attempts.
Cybercriminals have used the MFA bombing technique on several occasions in the past, including malicious attempts at Cisco, Microsoft, and Uber. In response, Microsoft began implementing ‘MFA number matching.’ This feature requires users to log in with their credentials to verify their identity by entering a series of numbers displayed on their screen into the Microsoft Authenticator app on their mobile device.
Apple has not yet issued a statement on the matter.
In the News: Telegram’s new Peer-to-Peer Login feature is a security risk