Apple device owners are reporting a new cyberattack, which combines “MFA bombing” with faked phone calls from Apple Support.
“MFA bombing” (also known as “MFA fatigue” and “Push bombing”) is an attack where cybercriminals bombard your phone and/or computer with large numbers of Multi-Factor Authentication requests, asking for approval for a password change or login (see here for our article explaining MFA). The aim of the attack is to get you to either accidentally approve a request, or to approve one in hope of stemming the tsunami of requests. Approval usually leads to you giving the cybercriminal access to your account.
As reported by Krebs on Security, one person said he received over 100 MFA alerts on his Apple phone, watch, and laptop. He had to manually decline all the request notifications one-by-one. This is when the second part of the attack occurred.
After denying all the requests he then received a phone call which his phone identified as being from Apple Support. In fact, the call was from the cybercriminals, who had altered their phone number to that of the genuine Apple Support number (an action known as “spoofing”). The caller said they had detected that his account was under attack, and that to help they needed him to give them a verification code sent to his phone.
Suspicious, he asked the caller for supporting information, and the answers were all correct bar his first name. The name they gave matched an incorrect entry on a public profile site, indicating the cybercriminals were getting their information from there, not the genuine Apple database.
The aim of the cybercriminals appeared to be to trigger an Apple ID reset, which includes a one-time verification code sent to the target person’s phone. If given that code, the cybercriminals can then reset the account password, locking the genuine owner out, and even trigger a remote device wipe, completely erasing all files and data from the victim’s Apple devices.
The cybercriminals seem to be abusing Apple’s password recovery web page. They only need to know your email address and phone number, which is often publicly known information.
What can you do?
- Never approve an MFA request, no matter how genuine it appears, unless you knowingly triggered it.
- Don’t be fooled if “Apple Support” call you. Apple say they never cold call people, and will only contact you if you explicitly ask them to as part of a support call you initiate.
- Consider using Apple’s “Hide My Email” service (details here), which generates random email addresses, keeping your actual email address private. It works with Apple logins and any site which has a “Sign in with Apple” option.