Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

[MacRumors]

Phishing attacks taking advantage of Apple's password reset feature have become increasingly common, according to a report from KrebsOnSecurity. Multiple Apple users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to cause panic so they'll respond favorably to social engineering.

An attacker is able to cause the target's iPhone, Apple Watch, or Mac to display system-level password change approval texts over and over again. Because the password requests target the Apple ID, they pop up on all of a user's devices. The notifications render all linked Apple products unable to be used until the popups are dismissed one by one on each device. Twitter user Parth Patel recently shared his experience being targeted with the attack, and he says he could not use his devices until he clicked on "Don't Allow" for more than 100 notifications.

The actual popup can't be used to gain access to an Apple device, and it serves as a front for attackers to incite fear in the target. Following the flood of notifications, the attacker calls using a spoofed number that makes it appear to be coming from Apple. On these calls, the attacker confirms that the victim's account is under attack, and that sensitive information is needed to put a stop to it. It appears that the attacker is after a one-time code to confirm a password reset or login attempt.

In Patel's case, the attacker was using information leaked from a people search website, which included name, current address, past address, and phone number, giving the person attempting to access his account ample information to work from. The attacker happened to have his name wrong, and he also became suspicious because he was asked for a one-time code that Apple explicitly sends with a message confirming that Apple does not ask for those codes.

The attack hinges on the perpetrator having access to the email address and phone number associated with an Apple ID at a minimum, and given the description of what's been happening, it is likely that bad actors also had access to the victim's Apple ID password from database leaks and other means. One-time codes are most often triggered as secondary security, so the attacker sends the notification spam, calls the target to "save" them from the attack, logs in to the Apple ID with the stolen information and password, and triggers the one-time code. If the target hands over the code at this point, the attacker will have full access to the Apple ID.

KrebsOnSecurity looked into the issue, and found that attackers appear to be using Apple's page for a forgotten Apple ID password to send the notification spam. This page requires a user's Apple ID email or phone number, and it has a CAPTCHA. When an email address is put in, the page displays the last two digits of the phone number associated with the Apple account, and filing in the missing digits and hitting submit sends a system alert.

It is not clear how the attackers are abusing the system to send multiple messages to Apple users, but it appears to be a bug that is being exploited. It is unlikely that Apple's system is meant to be able to be used to send more than 100 requests, so presumably the rate limit is being bypassed.

Apple device owners targeted by this attack should remain calm and make sure not to provide sensitive information to someone who calls, even if the phone call appears to be coming from Apple. Spoofing a phone number is a simple thing to do, so the best course of action is to hang up and call Apple support directly. There is never a situation where a one-time code should be shared with another person, and Apple will never ask for a code.

Update: This article has been updated to clarify how the attack works. The prior version suggested that an Apple ID could be accessed should someone press "Allow" on one of the password request popups, but that is inaccurate. This is a complicated, multi-step attack that requires social engineering, but the password reset spam is a component that Apple will hopefully address in a future update.

Article Link: Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

 

[DBZmusicboy01]

iCloud Lock was the worst thing Apple has done to the iPhone. Some people legit get permanently locked out of their own phones because of it.

 

[boswald]

Oh, good grief. What a nasty attack. I will definitely make my family aware of this!

 

[checker2010]

iCloud Lock was the worst thing Apple has done to the iPhone. Some people legit get permanently locked out of their own phones because of it.

Activation lock is a fantastic feature. I’d recommend everyone have it enabled.

 

[Realityck]

When attackers are unable to get the person to click "Allow" on the password change notification, targets often get phone calls that seem to be coming from Apple. On these calls, the attacker claims to know that the victim is under attack, and attempts to get the one-time password that is sent to a user's phone number when attempting a password change.

Never trust a company to call you out of the blue! Just tell them you are hanging up and contacting that company directly.

 

[tonyob]

I use a hardware security key (Yubico 5C) for my AppleID 2FA (instead of using my other Apple devices).
This is the best way to avoid phishing attacks.

 

[antiprotest]

Don't allow!

 

[antiprotest]

Oh, good grief. What a nasty attack. I will definitely make my family aware of this!

I wonder if it is something that can be fixed or limited on Apple's side. Sounds like it. They should do it TODAY.

 

[iphonejeffneil]

Happens to me at least once a week - mostly the notifications are just really annoying.

 

[whsbuss]

And the DOJ and EU keep tearing down the Apple ecosystem. What insanity

 

[coolfactor]

Crazy! Haven't seen this yet, and hope I don't, but what an easy trap to fall for!

How do these slimy people sleep at night?

Here's to hoping Apple has a solution in the works. Understanding exact how it's being exploited is the first step.

 

[CmdrPuffin]

This has sporadically been happening to me for months on end. I even switched to using a private recovery key in the hopes it would stop the requests. Unfortunately Apple still lets the popups come through for some reason.

 

[coolfactor]

Tip:

You can use plus+ addressing, which lets you have unique addresses for different services. This is an alternative to anonymous email addresses.

joe@icloud.com (main address)

joe+service1@icloud.com (Service #1)
joe+service2@icloud.com (Service #2)
etc.

Handy trick.

 

[klasma]

Tip:

You can use plus+ addressing, which lets you have unique addresses for different services. This is an alternative to anonymous email addresses.

joe@icloud.com (main address)

joe+service1@icloud.com (Service #1)
joe+service2@icloud.com (Service #2)
etc.

Handy trick.

Spammers and scammers know this and just strip the suffix.

 

[sKurt]

I get asked EVERY TIME I open my phone. "Oh, some icloud stuff isn't syncing. they it says, oh, health isn't syncing.

I do not want 2FA, my wife often goes to China and has no signal and when if it asks for a code from her phone, I'll be trapped until she finds a signal.

I have been denying 2FA for years and for years I get pop ups with 'subtle' hints. You can't make them go away, and on the MacBook the notification pops up, you click the X to dismiss, but that only brings up the system preferences dialog box.

as far as I'm concerned, the first 100 times I tell it NO, it's HARASSMENT when they keep trying to 'fool' me to sign up.

every time I update, it rushes thru the choices hoping I'll click continue accidentally and bam, now I have to turn off 2FA and change my password etc., et.al.

now this is pushing and frankly, I wouldn't have known.


:Yes, I use 2FA on everything else, bank, email, amazon, paypal, etc via DUO, but Apples way is very inconvenient. As far as why my wife's phone is on my list, it's because she doesn't have service as she only needs wechat/messages and the occasional call so she doesn't have a plan, only a pay per use.

Now that I've seen the Yubico 5C device, I can go with 2FA via that instead of having to use ALL my apple devices.

 

[vegetassj4]

I use a hardware security key (Yubico 5C) for my AppleID 2FA (instead of using my other Apple devices).
This is the best way to avoid phishing attacks.

I second, third, and fourth this motion. I put hardware two factor on everything as soon as it becomes available. Banks, Brokerage, etc. I don't know if this will stop the present explot.

YMMV depending on needs.

 

[Mr. Heckles]

I use a hardware security key (Yubico 5C) for my AppleID 2FA (instead of using my other Apple devices).
This is the best way to avoid phishing attacks.

Does this for sure help prevent this issue?

edit: I tested this, and having a 2FA does not stop this. I went on Apple and selected forget my password, and I got the pop up asking to use a device to confirm to change my password (just like in the article)… and I use a Yubico/2FA.

 

[vegetassj4]

Thank my lucky stars Apple Security warned me before this exploit was used:

 

[sw1tcher]

And the DOJ and EU keep tearing down the Apple ecosystem. What insanity

Did the EU tell Apple they must allow people to submit unlimited password reset requests?

It never occurred to Apple to set a limit for the number of password reset requests one can make within a certain period of time?

It's like with online banking. If you make too many wrong log-in attempts (usually around 5 attempts), access to the account gets locked and you have to call your bank to get access reset as a security precaution.


Multiple Apple users users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to get them to approve an Apple ID password change.

Because the password requests target the Apple ID, they pop up on all of a user's devices. The notifications render all linked Apple products unable to be used until the popups are dismissed one by one on each device. Twitter user Parth Patel recently shared his experience being targeted with the attack, and he says he could not use his devices until he clicked on "Don't Allow" for more than 100 notifications.

When attackers are unable to get the person to click "Allow" on the password change notification, targets often get phone calls that seem to be coming from Apple. On these calls, the attacker claims to know that the victim is under attack, and attempts to get the one-time password that is sent to a user's phone number when attempting a password change.

The attack seems to hinge on the perpetrator having access to the email address and phone number associated with an Apple ID.

It is not clear how the attackers are abusing the system to send multiple messages to Apple users, but it appears to be a bug that is being exploited. It is unlikely that Apple's system is meant to be able to be used to send more than 100 requests, so presumably the rate limit is being bypassed.

 

[Mac4LifeCanes4e]

I've been getting these for a couple of months now. It's truly aggravating.

 

[Apple_Robert]

Does this for sure help prevent this issue?

It won’t prevent this scam but, it can help prevent you falling victim.

 

[barkomatic]

It's occurring to me that allowing my iPhone to be the center of my financial and personal life is unwise and I'm taking steps to fix that.

 

[Aleco]

I have been getting these requests for quite some time now (over a year) and I have selected "Don't Allow" for all alerts. I feel like I accidentally pressed Allow once (a while ago) and it gave me a 2FA code which I just closed.

I just went through the iForgot process myself, and clicked on Allow on a few of my devices (Watch, iPhone, Mac), all of which redirected me to the Settings > Apple ID page and requiring me to enter my passcode/password to proceed with the password reset, which is done on device.

This post is quite misleading because I don't think this is the attack attempt.

Instead, these attackers are using something called Account Recovery, which is a manual recovery process. To get access to this process you need to send the notification to all the devices then click "Don’t have access to any of your Apple devices?" which asks a few personal questions (and gives out your last 4 CC which is kind of weird), and clicking no to all allows them to create the request with a random phone number attached.

I got this e-mail recently, and at first glance I was like what a great phishing attempt, but it also looked a bit too real to ignore. After further digging, it was a real e-mail from Apple, and checking the URL's prior to clicking the links I cancelled the request.

I'm not sure what happens if I didn't cancel this request but my hope is that Apple manually reviews these requests and sees that the person did not attach any matching personal info so it should be denied immediately.

 

[Mr. Heckles]

It won’t prevent this scam but, it can help prevent you falling victim.

I tested this, and having a 2FA does not stop this. I went on Apple and selected forget my password, and I got the pop up asking to use a device to confirm to change my password (just like in the article)… and I use a Yubico/2FA.

 

[Amazing Iceman]

Thank my lucky stars Apple Security warned me before this exploit was used:

View attachment 2362876

Hopefully you’re joking, because that’s as fake as it can be.