BOOK THIS SPACE FOR AD
ARTICLE ADApple device owners, consider yourselves warned: a targeted multi-factor authentication bombing campaign is under way, with the goal of exhausting iUsers into allowing an unwanted password reset.
First called out on X/Twitter by AI entrepreneur Parth Patel – and confirmed to be happening to others by security blogger Brian Krebs – the campaign appears to be targeting specific individuals, who are flooded with password reset requests. Because the alerts are sent at the system level, Patel reported, every single one had to be cleared before he could use his iPhone, Apple Watch, or MacBook.
Patel had to tap "Don't allow" on more than 100 notifications. Several of his friends – and other victims identified by Krebs – reported similar volumes.
The attack is similar to other multi-factor fatigue attacks that have popped up over the years. They aim to exhaust users into mistakenly tapping to allow someone to change their password – or doing so to stop the deluge. Microsoft even changed how its MFA codes work as a result of this kind of abuse.
Apple has yet to make such a change. Regardless, the attackers in this case were sophisticated enough to go beyond just spamming victims.
Around 15 minutes after clearing the notifications, Patel said he was called by someone spoofing their caller ID to pretend they were calling from Apple's actual support line. The caller informed Patel his account was under attack, and asked him to verify his information and provide a one-time reset code – ostensibly so the attacker could reset his password on their own. Being suspicious about the nature of the call, Patel asked them to verify some of his personal info, and the caller was able to – for the most part.
"They got a lot right, from date of birth, to email, to phone number, to current address, historic addresses," Patel reported. Luckily for Patel, he regularly checks to see what bits of his personal information are available online, and in this case it appears the data came from PeopleDataLabs – a B2B information firm.
"I distinctly remember [PeopleDataLabs] mixing me up with a midwestern elementary school teacher named Anthony S," Patel said, and that clued him in that the whole thing was a scam.
Russia's Cozy Bear dives into cloud environments with a new bag of tricks Go ahead, forget that password. Use a passkey instead, says Google Russia's Cozy Bear caught phishing German politicos with phony dinner invites Google Workspace weaknesses allow plaintext password theftThe fact the scammer called Patel directly suggests they were able to send password reset requests using Apple's iForgot page, which only asks for an email address and a solved CAPTCHA, in addition to knowing the account's phone number, to send a password reset request.
The sheer volume of requests raises the possibility that Apple may have a rate-limiting flaw in its iForgot system that allows for bombarding users with repeated reset requests. Apple didn't answer those questions, but did point us to a support page for how to recognize scams and phishing attempts targeting its users.
Until Apple addresses the issue in some way, be careful tapping those alerts and ensure you never accidentally give a scammer what they want. If someone claiming to be from Apple support calls, take Apple's advice, which makes it clear: "If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up." ®