Apple device owners, consider yourselves warned: A targeted multi-factor authentication bombing campaign is going around with the goal of exhausting iUsers into accidentally allowing a password reset.
First called out on X by AI entrepreneur Parth Patel – and confirmed to be happening to others by security blogger Brian Krebs – the miscreants behind the campaign appear to be targeting specific individuals who are flooded with password reset requests. Because the alerts are sent at the system level, Patel said, every single one had to be cleared before he could use his iPhone, Apple Watch, or Macbook.
Patel had to tap “Don’t allow” on more than 100 notifications, similar to what several of his friends – and other victims identified by Krebs – reported.
The attack is similar to other multi-factor fatigue attacks that have popped up over the years that aim to exhaust users into mistakenly tapping to allow someone to change their password – or doing so to stop the deluge. Microsoft even changed how its MFA codes work as a result of this kind of abuse.
Apple has yet to make such a change. Regardless, the attackers in this case were sophisticated enough to go beyond just spamming victims.
Around 15 minutes after clearing the notifications, Patel said he was called by someone spoofing their caller ID to disguise themselves as calling from Apple’s actual support line. The caller informed Patel his account was under attack, and asked him to verify his information and provide a one-time reset code, ostensibly so the attacker could reset his password on their own. Being suspicious about the nature of the call, Patel asked them to verify some of his personal info, and the caller was able to – for the most part.
“They got a lot right, from date of birth, to email, to phone number, to current address, historic addresses,” Patel said. Luckily for Patel, he regularly checks to see what bits of his personal information is available online, and in this case it appears the data came from PeopleDataLabs, a B2B information firm.
“I distinctly remember [PeopleDataLabs] mixing me up with a midwestern elementary school teacher named Anthony S,” Patel said, which clued him in that the whole thing was a scam.
The fact the scammer called Patel directly suggests they were able to send password reset requests using Apple’s iForgot page, which only asks for an email address and a solved CAPTCHA, in addition to knowing the account’s phone number, to send a password reset request.
Given the sheer volume of requests, it has been suggested that Apple may have a rate-limiting flaw in its iForgot system that allows for bombarding users with repeated reset requests. Apple didn’t answer those questions, but did point us to a support page for how to recognize scams and phishing attempts targeting its users.
Until Apple decides to address the issue in some way, be careful tapping those alerts to ensure you never accidentally give a scammer what they want. If someone from Apple support calls, do what one tweeter suggested: Get their name, then call Apple support back and ask to speak to the person you spoke to. If they can’t find them, ask if anyone from Apple support has called.
Or take Apple’s advice, which makes it clear. “If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up.” ®