Security researcher Brian Krebs recently uncovered a new attack targeting Apple iPhone users that aims to exploit the password reset feature. The attack involves bombarding users with notifications or multi-factor authentication messages to convince them to reset their password. These annoying popups appear on all Apple devices, including iPhones, iPads, and Macs. The goal of the attackers is to create panic and trick users into sharing their one-time password to confirm a password reset.
The popups themselves do not directly gain access to the iPhone. Instead, they are used to disrupt the user’s device and create a sense of urgency before the attacker contacts them from a spoofed number. Pretending to be from Apple support, the attacker will claim that the user’s account is under attack and ask for verification through a one-time code. This manipulation preys on the victim’s fear of a security breach and tricks them into disclosing sensitive information.
The attack requires the attacker to have information such as the user’s email address and phone number associated with their Apple ID. In one reported case, the attackers obtained this information from a people-search website but made a mistake in the victim’s name, raising suspicion. Despite the attacker’s efforts to cause chaos and confusion with numerous system-level prompts, vigilant users can avoid falling for the scam by being cautious and verifying the legitimacy of such requests for sensitive information.
The attackers are exploiting Apple’s Forgot Password feature for Apple ID to send the notification spam messages. It appears that they are also utilizing a vulnerability or bug to bypass the usual restrictions on the number of requests allowed by Apple. Jake Moore, a global cybersecurity advisor at ESET, acknowledges the potential for users to be deceived by this attack. He emphasizes the importance of remaining vigilant against evolving phishing and smishing tactics and advises against disclosing sensitive information over the phone, particularly one-time passcodes.
To protect against such attacks on iPhones and other Apple devices, it is crucial to use strong passwords for your Apple ID and avoid sharing sensitive information with unknown callers. Staying informed about potential threats and maintaining a cautious approach to requests for personal information can help users defend against social engineering attacks like the one discovered by Krebs. By being proactive and vigilant, users can safeguard their devices and personal data from malicious actors seeking to exploit security vulnerabilities.
