Skip to main content

Warning: Apple Users Targeted in Advanced Phishing Attack Involving Password Reset Requests

Phishing attacks taking advantage of what appears to be a bug in Apple's password reset feature have become increasingly common, according to a report from KrebsOnSecurity. Multiple Apple users users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to get them to approve an Apple ID password change.

An attacker is able to cause the target's iPhone, Apple Watch, or Mac to display system-level password change approval texts over and over again, with the hope that the person being targeted will mistakenly approve the request or get tired of the notifications and click on the accept button. If the request is approved, the attacker is able to change the ‌Apple ID‌ password and lock the Apple user out of their account.

Because the password requests target the ‌Apple ID‌, they pop up on all of a user's devices. The notifications render all linked Apple products unable to be used until the popups are dismissed one by one on each device. Twitter user Parth Patel recently shared his experience being targeted with the attack, and he says he could not use his devices until he clicked on "Don't Allow" for more than 100 notifications.

When attackers are unable to get the person to click "Allow" on the password change notification, targets often get phone calls that seem to be coming from Apple. On these calls, the attacker claims to know that the victim is under attack, and attempts to get the one-time password that is sent to a user's phone number when attempting a password change.

In Patel's case, the attacker was using information leaked from a people search website, which included name, current address, past address, and phone number, giving the person attempting to access his account ample information to work from. The attacker happened to have his name wrong, and he also became suspicious because he was asked for a one-time code that Apple explicitly sends with a message confirming that Apple does not ask for those codes.

The attack seems to hinge on the perpetrator having access to the email address and phone number associated with an ‌Apple ID‌.

KrebsOnSecurity looked into the issue, and found that attackers appear to be using Apple's page for a forgotten ‌Apple ID‌ password. This page requires a user's ‌Apple ID‌ email or phone number, and it has a CAPTCHA. When an email address is put in, the page displays the last two digits of the phone number associated with the Apple account, and filing in the missing digits and hitting submit sends a system alert.

It is not clear how the attackers are abusing the system to send multiple messages to Apple users, but it appears to be a bug that is being exploited. It is unlikely that Apple's system is meant to be able to be used to send more than 100 requests, so presumably the rate limit is being bypassed.

Apple device owners targeted by this kind of attack should be sure to tap "Don't Allow" on all requests, and should be aware that Apple does not make phone calls requesting one-time password reset codes.
This article, "Warning: Apple Users Targeted in Advanced Phishing Attack Involving Password Reset Requests" first appeared on

Discuss this article in our forums

Source: TechRadar

Popular posts from this blog

The hidden cost of food delivery

Noah Lichtenstein Contributor Share on Twitter Noah Lichtenstein is the founder and managing partner of Crossover , a diversified private technology fund backed by institutional investors, technology execs and professional athletes and entertainers. More posts by this contributor What Studying Students Teaches Us About Great Apps I’ll admit it: When it comes to food, I’m lazy. There are dozens of great dining options within a few blocks of my home, yet I still end up ordering food through delivery apps four or five times per week. With the growing coronavirus pandemic closing restaurants and consumers self-isolating, it is likely we will see a spike in food delivery much like the 20% jump China reported during the peak of its crisis. With the food delivery sector rocketing toward a projected $365 billion by the end of the decade, I’m clearly not the only one turning to delivery apps even before the pandemic hit. Thanks to technology (and VC funding) we can get a ri

Technics EAH-AZ60 review: Contending in stunning fashion

Technics serves notice that everyone should notice these earbuds. Technics ventured into the wireless earbuds category to go after the big dogs in the race. Think of the likes of Sony, Bose, and Sennheiser on sound quality, as well as the best you can find on design and functionality. It's a combination that comes at a price, but if done right, it gets easier to justify spending more. That's the case Technics makes with its EAH-Z60 earbuds. Its newest pair aims to take what the company has done in the past and make it even better. The results are easy to like and are significant enough to consider them as serious contenders. Technics EAH-AZ60 review: Price and availability What's good What's not good The competition Should you buy? At a glance Technics EAH-AZ60 Bottom line: Technics didn't just do one thing right with the EAH-AZ60. It covered almost the whole gamut of what makes wireless earbuds feel and sound exceptional. As a result, the p

Top Stories: Apple Event Preview, iPad Pro With M4 Chip Rumor, New Beats Headphones, and More

It's been a long time since the last one, but an Apple event is finally right around the corner! While it's anticipated to be a fairly short pre-recorded affair, we're expecting to see the first updates to the iPad lineup in over a year and half, so make sure to tune in to see what Apple has in store. Other news and rumors this week included a couple of product introductions from Apple's Beats brand, a roundup of rumors about updates to Apple's stock apps coming in iOS 18, and more changes to Apple's policies in the EU related to the Digital Markets Act, so read on below for all the details! What to Expect From the May 7 Apple Event Apple's first event of 2024 kicks off on Tuesday, May 7, at 7 a.m. Pacific Time, and we've put together our usual pre-event guide outlining what we're expecting to see on Tuesday. Several new products are expected to be unveiled, including two new iPad Pro models, two new iPad Air models, an updated Apple Pencil,

Top Stories: Apple Event With New iPads, Apple Pencil Pro, and More

Apple's "Let Loose" event this week went off largely as expected, headlined by new iPad Pro and iPad Air models. The updated higher-end devices are complemented by some new accessories, while Apple also tidied up the lower-end of the lineup a bit, so read on below for all the details! Everything Announced at the Apple Event Apple held its first event of the year this week to announce several new devices and accessories, including new iPad Pro models with OLED displays and the M4 chip, new 11-inch and 13-inch iPad Air models, the Apple Pencil Pro, and a redesigned Magic Keyboard for the iPad Pro. The event ran for nearly 40 minutes, but we have shared a video recapping the key announcements in just eight minutes . Check out all of our event coverage to learn more about the new products. Apple Announces New iPad Pro With M4 Chip, OLED Display, and More The new 11-inch and 13-inch iPad Pro models feature the M4 chip, OLED displays with increased brightness,