iPhone user are somewhat accustomed to the occasional Apple ID password prompt on their iPhones , but a raw phishing attack might have them guess double before senselessly inputting their most valuable password . As outlined byKrebs on Security , Apple customers are being targeted in a “ push bombing ” or “ MFA fatigue ” phishing safari where attackers repeatedly push two - worker authentication notification to Apple devices .
As documented in aTwitter / X train of thought by Parth Patel , all of his Apple twist started “ bumble up ” with push notification telling him to reset his Apple ID password . All said he had to solve some 100 notifications before the blast ended . While Patel knew better than to go down for the presentment , other Apple user might not be so lucky , especially when their devices are bombard with petition .
Apple ’s Forgot Password page lets user bespeak multiple password reset and sends a notification to all of your twist each prison term .
Apple’s Forgot Password page lets users request multiple password resets and sends a notification to all of your devices each time.
Foundry
The notifications look veridical because theyarereal . The aggressor seem to be overwork “ a bug in Apple ’s systems ” that place legitimate notification to all Apple machine lumber into that Apple ID when someone tries to reset a password viaApple ’s “ Forgot Password ? ” Sir Frederick Handley Page . The unsophisticated attack does n’t look to command much entropy other than a speech sound issue and email address , and Apple ’s system allows someone to repeatedly request a password reset with the hope that one of the requests will be allowed .
Then the user will receive a follow - up phone call from “ Apple support ” ( spoofed as descend from Apple ’s own supporting number , 1 - 800 - 275 - 2273 ) , telling them that their news report is under attack and they need to verify a one - time codification . Once the assaulter receive that computer code , they can reset your password and pause into your Apple ID .
Apple’s Forgot Password page lets users request multiple password resets and sends a notification to all of your devices each time.
A separate user reports getting a interchangeable alarum on his Apple Watch that was shady enough for him to reverse on his Apple ID ’s retrieval key , which is a “ randomly generated 28 - character code that helps improve the security of your Apple ID account by giving you more control over reset your watchword to find admittance to your account . ” However , while convalescence key should make it unmanageable for the assaulter to exchange your Apple ID watchword , it wo n’t stop the notifications from add up in .
Until Apple respond with a fix , the best you’re able to do to stop the attack is to repeatedly cancel or rap “ Do n’t earmark ” for any password reset notifications that you did n’t initiate . And as always , never give someone a two - factor code even if they say they ’re from Apple .
