Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

[Strebor]

Sounds like Apple should be able to plug this in no time by:

1. Immediately giving you the option to say you did not request this and to block any new incoming password requests (with increasing intervals)
2. Log patterns (ip addresses, etc) of requests that were denied (it wasn’t me option) and block these, so new attacks can’t be started by this attacker
3. Put a rate limit on the password reset form

 

[bkendig]

iCloud Lock was the worst thing Apple has done to the iPhone. Some people legit get permanently locked out of their own phones because of it.

Every time I try to log in to my iCloud account, it's locked. And with Stolen Device Protection enabled on my iPhone, I can only unlock my iCloud account by changing my password to something new. I'm going through passwords at a prodigal rate.

 

[jumpcutking]

They could place a time limit on the amount of recovery requests. Something like you can only make three recovery or password reset requests in 15-minute intervals. It sounds like I should implement something similar in my account system, too.

 

[1applerules1]

I don’t like it when Mac rumors exposes my schemes!

 

[iwillfollow]

I love the last paragraph: "Apple device owners targeted by this kind of attack should be sure to tap "Don't Allow" on all requests".

 

[smorrissey]

Tengo miedo!!

What really annoys me is not being able to connect to the 5G from time to time when im on the street, pretty random and i blame ios 17.

 

[macfacts]

[don't allow for 24 hours] [don't allow] [allow]

 

[1applerules1]

Hopefully you’re joking, because that’s as fake as it can be.

If you can’t tell it’s a joke, I pity you.

 

[iwillfollow]

Thank my lucky stars Apple Security warned me before this exploit was used:

View attachment 2362876

If you believed that message may have been real without Apple's warnings then you are doomed. There is so much wrong with that message that screams "NOT from Apple". Do you really think Apple would construct a warning like that one? And do you think they care about your Facebook and Whatsapp accounts? Snap out if it already.

 

[vegetassj4]

If you believed that message may have been real without Apple's warnings then you are doomed. There is so much wrong with that message that screams "NOT from Apple". Do you really think Apple would construct a warning like that one? And do you think they care about your Facebook and Whatsapp accounts? Snap out if it already.

It’s a joke

 

[aParkerMusic]

It's occurring to me that allowing my iPhone to be the center of my financial and personal life is unwise and I'm taking steps to fix that.

Don’t allow

 

[tothemoonsands]

I don't get it.

When I go to iforgot.apple.com , I have to enter E-Mail and phone number.
Then the pop-up appears on all my devices.
Then I can change the password ON MY DEVICE.

But NOT in the WEB BROWSER that the attacker uses.

Did I miss something?
Did Apple already change something?

Yeah I was under the impression that the password reset occurs on the device that clicks approve. Ie The hacker doesn’t get the reset text field only you do.

Plus, the only way a new trusted device can be added is by using 2FA along with the password, unless you don’t have 2FA. Ie You need to sign in with your password AND use your physical Yubikey to sign in. A password change alone wouldn’t let you in without the Yubikey activation.

I think there may be some misinformation in this news story. It’s a password reset notification DDoS since you have click reject 100 times, but it doesn’t actually pose a threat to getting IN to the account, even if you do click approve…

Read the article:

Recent ‘MFA Bombing’ Attacks Targeting Apple Users – Krebs on Security

It relies on picking up a phone call from the scammer. Here’s a hint. Apple will never call you, especially if you don’t initiate it. They only circumstance is if you call Apple Support and there’s an option for a callback, which wouldn’t recommend doing for any non-trivial reason for this very reason. Wait on the phone if you are dealing with sensitive account information to prevent risk of spoofing.

 

[Darren.h]

WOW. first we find out there is an encryption flaw in ALL of Apples M1 M2 and M3 Processor Chips that can never be fixed. A Chip Design security Flaw.

And NOW this.

Was gonna buy an M3 Max Studio when they come out but now I am waiting for the M4 Max Studio OR whenever they fix the chip for this serious FLAW.

 

[tothemoonsands]

WOW. first we find out there is an encryption flaw in ALL of Apples M1 M2 and M3 Processor Chips that can never be fixed. A Chip Design security Flaw.

And NOW this.

Was gonna buy an M3 Max Studio when they come out but now I am waiting for the M4 Max Studio OR whenever they fix the chip for this serious FLAW.

Wouldn’t worry too much about that encryption flaw. It requires physical access to the machine and M3 has the ability to thwart it. I’m in the market for a Studio maybe and this is 100% not affecting my purchasing decision.

This password reset news story is not really an issue either. Certainly nothing new, other than the twist of the spoofed Apple Support follow up call.

 

[synonys]

I use a hardware security key (Yubico 5C) for my AppleID 2FA (instead of using my other Apple devices).
This is the best way to avoid phishing attacks.

I think accounts with hardware security keys are still affected. I just tried this, and it still sent a password reset request even though I have security keys and recovery keys.

 

[Amazing Iceman]

If you can’t tell it’s a joke, I pity you.

🤣 Nowadays is hard to tell. People are going nuts all around.

 

[Japan Ricardo]

I never give my Apple ID's email to anyone. It's an email used only for the Apple ID.

But when you share stuff, it says it’s from your Apple ID email address..

 

[superandrew]

Thank my lucky stars Apple Security warned me before this exploit was used:

View attachment 2362876

lucky you that have been damaged just 62%!

 

[arc of the universe]

Tip:

You can use plus+ addressing, which lets you have unique addresses for different services. This is an alternative to anonymous email addresses.

joe@icloud.com (main address)

joe+service1@icloud.com (Service #1)
joe+service2@icloud.com (Service #2)
etc.

Handy trick.

wow. i had never know this.

i cant find any apple iCloud email to explain this.

apple of course only allowed 3 alias for a long time.
then it gave us Hide your email optiion as well, which i have about 30 (for each site that i access).
but if i can use this plus+ addressing, then i can could actually set a system that i could predict what address i am using for each site.

from your example and the examples i have seen on the net today, are there any limitations to characters or anything like that in order to use this plus+ address?

and if there is no apple documentation on this, is it possible that apple won't support it in the future?

 

[Shirasaki]

Apple IDs were not set up for this, it’s 1 Apple ID for 1 person. It’s. It Apples fault you’re not using it right.

its your responsibility to set up back-up ways. There are many ways.

You can set up a recovery contact. My mom only had an iPhone for years, and she broke it (her only device for 2FA). She went to the Apple Store, got a new phone/replacement, activated it, and got a text for her 2FA. If a 70 year old person can do this, I bet you can.

Apple IDs were not set up for A, for B, for C, for E etc. Yet, customer uses it that way. As a developer, what’s the reaction? Apply draconian restrictions so anything but A would be impossible, or work around it and improve?

And for setting up backup ways? Most backup ways involve Apple Server, such as this one demonstrate in this article. Users cannot do anything about it except dismissing the prompts vigilantly. What’s your suggestion then?

Recovery contact? I am fairly confident it has iOS version restrictions. What about those people who uses devices that won’t support recovery contact But support 2FA? Also, just because your 70 year old mom can use 2FA, doesn’t automatically mean everyone else can. For the record, I don’t have problem using 2FA, but that doesn’t prevent me from raising the concern About it.

 

[Shirasaki]

I refuse to accept that a grown person who participates in the MacRumors forums in the year of our Lord 2024 could be obtuse enough to be sharing an Apple ID. It’s just outrageously, inconceivably stupid and entirely unnecessary.

But even in such a scenario, security keys would solve the problem, as would simply getting a wireless plan with international data or any number of cheap international eSIMs.

And your final concern isn’t really a concern, because you can now set up a recovery contact.

Believe it or not, we can all refuse to accept many things, that are in fact exist, such as 2 person sharing the same Apple ID. To be fair, I am not 100% sure if they are indeed doing so, but judging by the claim that her wife travelling to China would paralyse 2FA that’s the Most probable cause.

And before you suggesting “security keys”, ”recovery contact”, I want to remind you both of those are barred behind a particular iOS version update, which they may or may not be able to install and use without replacing their devices, which they may not be able to or Unwilling to. Apple didn’t release 2FA back then with the support of hardware keys and/or recovery contacts either, meaning those people who are now stuck using outdated software risk their account being locked out because of insufficient 2FA recovery options.

Besides all that, mere participation in the MacRumors forums have no bearing on member‘s tech literacy whatsoever.

I am not saying 2FA is bad. I am saying I understand the concern he has because I was in the same boat several years ago, refusing to use 2FA.

 

[dialogos]

I never give my Apple ID's email to anyone. It's an email used only for the Apple ID.

I understand that using an iCloud alias allows you to log in as well. This means that even if you prefer not to share your primary Apple ID email but wish to use iCloud email, using an alias does not eliminate the risk. This is my current understanding; correct me if I'm mistaken.

Previously, I discussed my intention to switch from Gmail to another email provider. However, I was hesitant because I discovered that logging in with my alias was possible. Additionally, I do not share my primary iCloud email.

 

[Robert.Walter]

Tip:

You can use plus+ addressing, which lets you have unique addresses for different services. This is an alternative to anonymous email addresses.

joe@icloud.com (main address)

joe+service1@icloud.com (Service #1)
joe+service2@icloud.com (Service #2)
etc.

Handy trick.

Better to use hide my email anon addresses.

The + trick was good in the old days but it has flaws:
1. Many sites don’t allow + in an address,
2. before + and domain gives you away and can be use to track,
3. After + depending on what you do you may have to keep a log to know what the address to site relationship is.
4. One day the crooks will strip off the + and after and just start spamming the main email which you can’t change.

HME solves these.

 

[Robert.Walter]

I get asked EVERY TIME I open my phone. "Oh, some icloud stuff isn't syncing. they it says, oh, health isn't syncing.

I do not want 2FA, my wife often goes to China and has no signal and when if it asks for a code from her phone, I'll be trapped until she finds a signal.

I have been denying 2FA for years and for years I get pop ups with 'subtle' hints. You can't make them go away, and on the MacBook the notification pops up, you click the X to dismiss, but that only brings up the system preferences dialog box.

as far as I'm concerned, the first 100 times I tell it NO, it's HARASSMENT when they keep trying to 'fool' me to sign up.

every time I update, it rushes thru the choices hoping I'll click continue accidentally and bam, now I have to turn off 2FA and change my password etc., et.al.

now this is pushing and frankly, I wouldn't have known.

Where you can, use the iCloud authenticator built into iOS et cie.

 

[cloudyo]

This should solve it:

Set up a recovery key for your Apple ID – Apple Support (UK)

A recovery key is an optional security feature that helps improve the security of your Apple ID account. If you lose access to your account, you can use your recovery key to reset your password and regain access.

support.apple.com

• When you set up a recovery key, you turn off Apple’s standard account recovery process.