PSA: New phishing “MFA Bombing,” attack targets Apple IDs

There has been a recent surge in sophisticated phishing attacks targeting Apple users. These attacks exploit vulnerabilities in Apple’s password reset feature, aiming to gain unauthorized access to users’ Apple ID accounts. 

One such attack, dubbed “MFA Bombing,” bombards users with numerous notifications or multi-factor authentication (MFA) requests to change their Apple ID passwords. The goal is to overwhelm users, leading to accidental approval of authentication requests.

Apple ID

This phishing attacks floods your Apple devices with fake logins

The phishing attack begins with hackers bombarding Apple devices with system-level password change prompts. Users receive repeated notifications prompting them to approve or deny password changes. If a user mistakenly clicks “Allow,” the attacker gains control over the Apple ID, locking the user out of their own account.

Phishing Apple ID

The attackers exploit a bug in Apple’s password reset system, causing devices like iPhones, Macs, and Apple Watches to display incessant password change notifications. These notifications persist until the user either approves or denies the request. Hackers capitalize on users’ exhaustion or confusion, hoping they will inadvertently approve the malicious request.

Additionally, attackers may resort to caller ID spoofing, pretending to be Apple Support representatives during phone calls. They attempt to gain further trust by asking for one-time passwords (OTPs) sent to users’ devices during password change attempts.

Several Apple users, including AI entrepreneur Parth Patel, have fallen victim to these attacks. Patel shared his experience of receiving over 100 password reset notifications and a spoof call from attackers posing as Apple Support.

The attackers’ access to personal information, obtained from leaked databases, adds a layer of sophistication to the attack. Despite Patel’s cautious approach, the attackers had accurate personal data, highlighting the need for heightened vigilance.

How to protect your device against phishing attacks

Users must adopt proactive measures to safeguard their Apple accounts against phishing attacks.

  1. Question unexpected password change requests or phone calls, especially if they request sensitive information like OTPs.
  2. When in doubt, contact Apple directly through official channels rather than responding to unsolicited calls or messages.
  3. Implementing 2FA adds an extra layer of security, requiring both a password and a secondary verification method.
  4. Keep informed of cybersecurity news and updates to recognize emerging threats and protect yourself accordingly.

By understanding the tactics employed by attackers and staying vigilant, users can mitigate the risk of falling victim to such malicious schemes. Protecting one’s digital identity and devices is paramount in today’s interconnected digital landscape. Stay informed, stay cautious, and stay secure.

About the Author

Asma is an editor at iThinkDifferent with a strong focus on social media, Apple news, streaming services, guides, mobile gaming, app reviews, and more. When not blogging, Asma loves to play with her cat, draw, and binge on Netflix shows.