Apple iPhone users are being targeted in a new attack aimed at the password reset feature.
The attack, which bombards Apple users with notifications or multi-factor authentication messages, aims to persuade iPhone users that they need to reset their password. The annoying popups can appear on all Apple devices—iPhones, iPads and Macs.
Spotted by security researcher Brian Krebs and covered in his blog, Krebs On Security, the popups themselves aren’t used to gain access to your iPhone. Instead, they are used to create panic ahead of the attacker calling you from a spoofed number. Pretending to be from Apple, the attacker then hopes you will share your one time password to confirm a password reset.
Apple users are being targeted in a new attack targeting the iPhone maker’s password reset feature.
In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds Allow or Don’t Allow to each prompt, Krebs writes. “Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to ‘verify’ a one-time code.”
How Bad Is The New iPhone Attack?
So how bad is the new iPhone attack? In reality, it’s not easy to pull off. First, the attacker has to have access to information including the email address and phone number associated with your Apple ID.
In one case, reported by Twitter/X user Parth Patel, the attackers had gained these details from a people-search website. However, the adversary got his name wrong, and Parth was suspicious when they asked for the one time code sent by Apple.
Krebs found attackers were using Apple’s Forgot Password feature for Apple ID to send the notification spam messages. It also appears they’re using a vulnerability or bug to bypass the number of requests allowed by Apple.
What Does Apple Say About The New iPhone Attack?
The iPhone maker is aware of reports that some users are receiving a high volume of alerts asking if they are attempting to reset their password, an Apple spokesperson said. The company has also taken steps to address the reported issue.
You can access tips on avoiding iPhone phishing attacks like this one on Apple’s support page.
“If you're suspicious about an unexpected message, call, or request for personal information or money, it's safer to presume it's a scam and contact that company directly if you need to,” the support document reads.
“If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up,” Apple adds. In the U.S., you can report scam phone calls to the Federal Trade Commission at reportfraud.ftc.gov.
If you do get caught out, don’t be too hard on yourself. Jake Moore, global cybersecurity advisor at ESET, says he can see how someone could be tricked by the attack. “It goes to show that we must constantly remain on guard to changing phishing and smishing tactics. But however relentless attackers become, it is vital to refrain from divulging sensitive information.”
To prevent being hit by attacks on your iPhone or other Apple device, make sure you use strong passwords to protect your Apple ID. Always apply iPhone updates when they are released and ensure you never give out information to anyone on the phone—particularly one time passcodes.
