In a concerning turn of events, Apple users have found themselves under siege from a sophisticated phishing attack, raising alarms over potential vulnerabilities in Apple’s password reset mechanisms. Reports indicate that malicious actors are exploiting a possible flaw in Apple’s system, bombarding users’ devices with a relentless stream of notifications or multi-factor authentication (MFA) messages.
The attack method revolves around deceiving users into authorizing a password change request for their Apple ID. Perpetrators targeted iPhones, Apple Watches, or Macs with prompts at the system level, aiming to coerce users into unwittingly approving the request or wearing them down until they relent and click “accept.” Once permission is granted, the attacker gains control of the Apple ID, effectively locking the legitimate user out of their account, as per findings highlighted by KrebsOnSecurity.
This onslaught of notifications renders all connected Apple devices unusable until each alert is individually disregarded. Parth Patel, an X user, took to the microblogging platform and recounted his harrowing ordeal, describing how he was compelled to delete over a hundred alerts before regaining control of his devices.
Moreover, the attackers employ phone calls acting as Apple representatives to pressure users into clicking “Allow” on the password change notifications. During these fraudulent calls, victims are coerced into divulging the one-time passwords sent to their phone numbers, further compromising their security. Exploiting information gleaned from public databases, attackers gain access to users’ personal details such as names, addresses, and phone numbers. Despite its apparent sophistication, this method hinges on having access to the email address and phone number linked to the Apple ID.
According to an analysis by KrebsOnSecurity, the attackers circumvent the system’s intended functionality by exploiting Apple’s forgotten Apple ID password page. Despite the presence of CAPTCHA, attackers manage to inundate users with repeated messages, likely exploiting a loophole in Apple’s system.
In light of these developments, Apple device owners are urged to exercise caution and refrain from approving suspicious password change requests. Additionally, given that Apple does not initiate such requests over the phone, customers are advised to remain wary of unsolicited calls soliciting one-time password reset codes.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it’s all here, just a click away! Login Now!
The Mint News App to get Daily Market Updates & Live Business News.
Published: 28 Mar 2024, 12:36 PM IST
