Apple iPhone users are being targeted in a new attack targeting the password reset feature.
The attack, which bombards Apple users with notifications or multi-factor authentication (MFA) messages, aims to persuade iPhone users that they need to reset their password. The annoying popups will appear on all Apple devices—iPhones, iPads and Macs.
Spotted by security researcher Brian Krebs and covered in his blog, Krebs On Security, the popups themselves aren’t used to gain access to your iPhone. Instead, they are used to create panic ahead of the attacker calling you from a spoofed number. Pretending to be from Apple, the attacker then hopes you will share your one time password to confirm a password reset.
In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds Allow or Don’t Allow to each prompt, Krebs writes. “Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to ‘verify’ a one-time code.”
How Bad Is The New iPhone Attack?
So how bad is the new iPhone attack? Im reality, it’s not easy to pull off. First, the attacker has to have access to information including the email address and phone number associated with your Apple ID.
In one case, reported by Twitter/X user Parth Patel, the attackers had gained these details from a people-search website. However, the adversary had got his name wrong, and Parth was suspicious when they asked for the one time code sent by Apple.
Krebs found attackers were using Apple’s Forgot Password feature for Apple ID to send the notification spam messages. It also appears they’re using a vulnerability or bug to bypass the number of requests allowed by Apple.
Jake Moore, global cybersecurity advisor at ESET says he can see how someone could be tricked by the attack. “It goes to show that we must constantly remain on guard to changing phishing and smishing tactics. But however relentless attackers become, it is vital to refrain from divulging sensitive information.”
To prevent being hit by attacks on your iPhone or other Apple device, make sure you use strong passwords to protect your Apple ID. Ensure you never give out information to anyone on the phone—particularly one time passcodes.