Imagine this: you suddenly receive messages on your iPhone telling you to reset your Apple ID password. It may seem like something is wrong with your account, so you start the process to reset your password. But here's the trick: all those messages are fake. It's a clever trick set up by people trying to gain access to your Apple ID and all your personal data, like your photos, messages, and credit card information.
They exploit a vulnerability in the Apple system to make you think something is wrong. And to make matters worse, they can flood you with these fake messages, so your phone keeps beeping and vibrating, making you think something really bad is happening.
There are many known phishing attacks targeting users of Apple devices to gain access to their Apple ID. However, a new "sophisticated" attack uses a bug in the Apple ID password reset function with "push bombing" or "MFA fatigue" techniques to flood Apple devices with requests to reset the password.
But that's not all. After receiving all those fake messages and starting to worry, you might even get a call from someone claiming to be from Apple Support. They try to convince you to give them your password reset code. And if you do, they've got you. They can then log into your Apple ID and access all your data without you realizing it.
As reported by Krebs on Security, entrepreneur Parth Patel was one of the victims of the new sophisticated phishing attack. Patel explained in a post on X (formerly Twitter) that his iPhone and other Apple devices suddenly "started flooding with password reset notifications." However, since this is a system-level alert, it becomes impossible to use the device until you interact with it.
The attackers made a led high effort focused attack on me, using OSINT data from People Data Labs and caller ID spoofing.
— Parth (@parth220_) March 23, 2024
First, around 6:36pm yesterday all of my Apple devices started blowing up with Reset Password notifications.
Because these are Apple system level alerts,… pic.twitter.com/vX1AZvoVoN
According to Patel, he received more than 100 requests to reset his Apple ID password. But the attack didn't stop there. About 15 minutes later, the user received a call from someone spoofing the official Apple Support phone number.
"I was naturally still cautious, so I asked them to validate a lot of information about me before answering any of their questions," said Patel. To gain the victim's trust, the person pretending to work for Apple Support shared multiple correct personal details, such as email, phone number, and current billing address.
Fortunately, Patel was able to confirm that the call was a scam after asking the person to confirm his name. "I was tipped off that they used my data from People Data Labs in real time to validate a ton of information. Despite correctly stating all of my data, the phishers thought my name was Anthony S."
For those unfamiliar, People Data Labs is a platform that collects and sells personal data. The platform was the target of a huge leak in 2019 that exposed around 1.2 billion records.
Never share your password reset code with others
What attackers want is to convince victims that something is wrong and that they need to share the code sent by Apple to reset their password. Of course, if the victim shares this code with someone else, that person can gain full access to the Apple ID.
To prevent this, it's important never to share the password reset code with others, even if they claim to be Apple Support. Always be cautious of suspicious messages or calls asking for personal information. Prevention is better than cure.
Apple has yet to comment on the issue or release an update preventing attackers from sending multiple password reset requests. For now, the best way to prevent attacks like these is never to share the code to reset your Apple ID password with others.