Watch out, iPhone owners: this dangerous phishing attack could lock you out
of your Apple devices
Date:
Wed, 27 Mar 2024 10:59:35 +0000
Description:
Hackers are trying to trick users into handing over their Apple IDs, locking them out of their Apple devices.
FULL STORY ======================================================================
A new phishing attack has been targeting Apple users, bombarding them with notifications and attempting to trick them into allowing hackers access to their account. If the attackers get their way, you can be locked out of every single Apple device you own.
Documented by the Krebs on Security blog (via MacRumors ), the exploit involves MFA bombing, or sending a constant stream of multi-factor authentication (MFA) requests to a user. These usually display the text Use this iPhone to reset your Apple ID password, with options for Dont Allow and Allow.
If you select Allow, the hacker is able to change your Apple ID password and lock you out of your own account. Because this method affects your Apple ID (rather than, say, your Lock Screen passcode), it can be used to take over
all of your Apple devices that use that same ID.
That makes it a particularly powerful attack. But if you experience it, its unlikely youll just see one pop-up the bad actors seem to be exploiting a
bug that displays the request over and over again, with a new one appearing each time you select Dont Allow.
According to Parth Patel on X (formerly Twitter), you might have to dismiss over 100 messages, with the attackers apparently hoping that youll slip up or get tired and mistakenly choose Allow. A professional and sophisticated
attack (Image credit: Sora Shimazaki / Pexels)
And it doesnt stop there. If you get through all of that and the phishers still have not been able to take over your account, they apparently call you while pretending to be Apple.
Patel detailed how the impersonators spoofed the official Apple number and asked him for a one-time password (OTP) that had just been texted to him. Handing this over would have been an error as it would have given them
another way into Patels account, and the text accompanying the OTP explicitly stated it should not be shared with anyone.
Fortunately, Patel did not hand it over. He asked the caller to validate a
ton of information about himself, much of which they got correct yet they managed to get his first name wrong. It turns out that they were using a leaked database of personal information from People Data Labs that had incorrectly logged his data.
Krebs on Security determined that the attackers are likely using a page on Apples website for users who have forgotten their Apple ID password . This page lets you enter an Apple ID or phone number, pass a CAPTCHA check and
send a reset request to the account. Its not known how the phishers are getting the system to send multiple requests, but its likely to be a bug that they are exploiting.
This professional and sophisticated attack shows the lengths some hackers are going to in order to take over targeted Apple accounts, and it is clearly not the work of amateurs. If you get bombarded with password reset requests, make sure you always select Dont Allow (no matter how many pop-ups appear) and always refuse to hand over OTP details, even if the request appears to be official.
Apple will never ask for these details (and nor will any other reputable company). Its your device account thats on the line, and you need to protect it at all costs. You might also like Scam alert: these 3 simple iPhone tricks will help protect your Apple ID from thieves What is phishing and how dangerous is it? How to change your Apple ID password
======================================================================
Link to news story:
https://www.techradar.com/phones/iphone/watch-out-iphone-owners-this-dangerous -phishing-attack-could-lock-you-out-of-your-apple-devices
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)