In an alarming trend that’s catching many off guard, a sophisticated new phishing scheme, known as “MFA Bombing,” is targeting Apple iPhone users, inundating them with a barrage of system-level password reset prompts.
This nefarious tactic is not only an annoyance but poses a significant threat to personal security, potentially locking users out of their devices or, worse, leading to identity theft.
Apple Prompts: The Mechanics of the Scam
At the heart of this scam are the relentless system-level notifications prompting users to reset their passwords. According to a detailed report by Kerbs on Security, this phishing attempt likely exploits a loophole in Apple’s password reset functionality, bombarding users with reset requests.
These are not just ordinary annoyances. If the ‘Allow’ button is accidentally pressed, or if a user diligently denies each request, the scam doesn’t stop there. Perpetrators are stepping up their game by impersonating Apple’s official support team, making unsolicited calls to users, and claiming their accounts have been compromised.
Victims are coerced into sharing a one-time code under the guise of verifying their identity, granting these scammers unfettered access to log out from all connected Apple devices and potentially remotely wiping them clean. An instance shared on X by Parth Patel illustrates the cunning nature of these fraudsters.
Patel recounted how he was approached with a request for his one-time code. Suspicion arose when the caller, supposedly from Apple, referred to him as Anthony S., despite having correctly stated much of his personal information.
⚠️ Scam Alert: New MFA Bombing (MFA Fatigue) #phishing #scam targeting #iPhone users 🍎 #infosec #cybersec
Scammers spam users with password reset prompts, until the victim eventually gives up and allows the reset. The #scammer then calls the victim impersonating #Apple support.… pic.twitter.com/i8m3YO2DY7
— Cybertrace (@Cybertrace_com) March 31, 2024
Guarding Against the Threat
The question then arises: how does one shield themselves from such an insidious threat? Firstly, understanding that these password reset requests manifest as system-level notifications is crucial. The immediate course of action should be to select ‘Don’t Allow’ every time such a prompt appears.
If the situation escalates to a phone call asking for the one-time verification code, the best response is to inform the caller that you’ll contact them back through the official Apple support channels. It’s important to remember that genuine Apple representatives will never ask for personal information over the phone to verify your identity.
Moreover, enabling the ‘Apple Recovery Key‘ feature provides an added layer of security. This feature requires a lengthy passcode for any attempts at resetting your Apple account password, effectively thwarting the efforts of attackers.
The “MFA Bombing” scam is a stark reminder of the evolving landscape of cyber threats and the importance of remaining vigilant. By staying informed about the latest scams and taking proactive measures to protect personal information, Apple users can fortify their defenses against these sophisticated phishing attacks.
Always approach unsolicited requests for personal information with skepticism, and when in doubt, reach out directly to Apple’s support to verify the legitimacy of any communication.
