Wednesday, March 27, 2024

“MFA Bombing” Attacks Targeting Apple Users

Brian Krebs (MacRumors, Hacker News):

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.


Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.


“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”


KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices.

I wonder why this isn’t rate limited.


2 Comments RSS · Twitter · Mastodon

I find this odd, since the MFA makes you enter the 6 digit number given. How does MFA bombing work if hitting approve doesn't actually approve the 2FA? Presumably they would still need to access the physical device somehow.

Certainly the phone call scam would work, but this seems like it's something entirely different than "accidentally thumbing the wrong button"

Leave a Comment