MFA Fatigue Attacks Targeting iPhone Users
A growing number of iPhone users are experiencing MFA fatigue attacks attempting to take over their Apple accounts.
If you’ve had an Apple device for more than a few months, you’re probably used to your iPhone prompting you for your Apple ID password once in a while. You might even go ahead and input that password without thinking twice. That’s a bad idea, actually. A recent string of MFA fatigue attacks is hitting iPhone users, bombarding them with password reset prompts that could easily compromise their Apple accounts.
What’s a MFA Fatigue Attack?
If you’ve been reading groovyPost for a while, you’ve likely seen us discuss 2FA and MFA. These stand for, respectively, two-factor authentication and multi-factor authentication. They’re a second line of defense for your online accounts, requiring you to give more than just your username and password to log in.
You may use an authenticator app, for example. Maybe you have a special USB key that you need to plug in for a login. In other cases, you’ll receive a code via SMS message.
In an MFA attack, bad actors will bombard you with MFA requests. The hope is that you’ll fall for at least one of them. In one recent attack documented by Parth Patel on X (formerly known as Twitter), Patel was hit with more than 100 push notifications prompting him to reset his Apple ID password.
A ‘Bug in Apple’s Systems’ Allowing Push Bombing Attacks
According to Krebs on Security, it’s a bug in Apple’s password reset feature that’s allowing these phishing attempts to work their magic. The target’s Apple devices, whether an iPhone, iPad, Apple Watch or Mac computer, are forced to show a potential victim dozens of push notifications.
These notifications stop you from using your device until you respond “Allow” or “Don’t Allow.” You might think that denying enough of them would trigger the attacker to give up, but that’s not the case.
After denying more than a hundred of the push notifications, Patel got a phone call. That phone call spoofed Apple’s customer support line, 1-800-275-2273. It was not, however, Apple calling — it was someone behind the phishing attack making one more effort to get access to Patel’s account.
As a matter of fact, such phone calls are completely against Apple’s support policy. The tech giant will never initiate an outbound call to you unless you ask Apple to contact you.
What To Do If Faced with a MFA Attack
We’re always vigilant with our online security, and so should you be. If you fall prey to one of these MFA fatigue attacks, here’s what you should do.
- Make sure you deny each and every password reset prompt unless you did, in fact, attempt to reset your password.
- If you receive a phone call claiming to be from Apple, go ahead and pick up the call. Inform the “representative” that you will call them back and hang up.
- Call Apple’s support line and inform them you may be undergoing a push bombing attack. The customer service rep should be able to confirm whether the call truly came from Apple or not.
Apple has not yet responded to requests for comment on the issue, but the company is usually quick to address exploits when they appear. Such attacks were used against Cisco, Microsoft, and Uber in past years, and those tech giants all responded swiftly to “plug the hole.”
I expect Apple to do likewise, either by rate-limiting the password reset push notifications so they don’t flood a user or by requiring some sort of additional verification before sending the notification.
Steve Krause
March 27, 2024 at 11:06 am
That is just crazy. That one is a nasty bug.
Just goes to show — don’t trust anyone who calls you. Hang up and call them back after validating the callback number. Just one takeaway.
There doesn’t appear to be a fix for this yet. Keep us updated on that.
Jeff Butts
March 27, 2024 at 11:16 am
The fact that they’re spoofing Apple’s customer support number is the real gotcha here. Remember: Apple will never call you out of the blue for a password issue, just like your bank won’t.