Hackers find new method to flood iPhones with notifications that they use for phishing attacks: What to do?

Several users of Apple devices have reported falling victim to a new type of phishing attack, where perpetrators inundate their devices with dozens of system password change requests, preventing them from using the device until all requests are either accepted or declined. Subsequently, the fraudsters would call the victims, posing as Apple support, and claim that their account was under attack, urging them to "verify" a one-time code.

One of the victims, Parth Patel, an entrepreneur and founder of an AI startup, shared his experience on Twitter. On March 23, he recounted an attack, commonly known as push-bombing or "MFA fatigue." Perpetrators exploit vulnerabilities in the multi-factor authentication (MFA) system by bombarding the device with requests to change the login or password.

"All my devices went haywire: my watch, laptop, phone. These notifications appeared as system requests to confirm the reset of my Apple account password, but I couldn't use my phone until I closed them all, and there were over a hundred," Patel said in an interview with KrebsOnSecurity.

After sending a series of notifications, the fraudsters call the victim, spoofing the phone number used by Apple's actual technical support.

"When I answered the call, I was extremely cautious and asked if they could provide my details, and after quickly pressing a few keys, they gave me absolutely accurate information," Patel recalled. Apart from his real name. According to Patel, they mentioned a name he once saw among the data for sale on the PeopleDataLabs website.

The aim of the fraudsters is to lure the user into providing the one-time Apple ID reset code sent to the device. Once obtained, they can reset the account password, lock the user out, and erase all data from all their devices.

Patel is not the only victim. Another user, who owns a cryptocurrency hedge fund, reported a similar attack in late February.

"I declined to change the password, but then another 30 notifications came at me. I thought I accidentally pressed a button and dismissed them all," he said. According to him, the perpetrators targeted him for several days, but at some point, he received a call from Apple support. "I said I would call Apple myself. I did so, and they told me that Apple never calls customers unless they request a call."

The third user was advised by Apple support to activate the Apple ID account recovery key during a call. This was supposed to stop the flow of notifications every few days. However, this did not help him either. It is quite likely that the attackers are using the Apple password recovery website for the attack. To send a system password change notification, all that is required is to enter the phone number linked to the Apple ID and solve a captcha.

"What normally designed authentication system sends dozens of password change requests per second when the user has not responded to previous ones?" wonders Brian Krebs of KrebsOnSecurity.