Priya Patel
TLDR:
- Apple users are being targeted by a phishing campaign known as “push bombing” to steal Apple IDs and passwords.
- The attack involves inundating users with notifications to approve password changes, leading them to accidentally authorize malicious requests.
Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple IDs through what’s known as a “push bombing” or “MFA fatigue” attack. This method exploits the multi-factor authentication (MFA) system, bombarding users with incessant notifications to approve password changes or logins, ultimately aiming to steal passwords and gain unauthorized access to personal information and devices.
Entrepreneur Parth Patel recently became a target of this phishing scheme, experiencing firsthand the relentless flood of system notifications across all his Apple devices, urging him to approve a password reset. This deluge of prompts is not just annoying but strategically designed to wear down the victim’s resistance or catch them off guard, leading to an accidental approval of the malicious request. Adding a layer of sophistication to the attack, phishers follow up with phone calls masquerading as Apple Support, using caller ID spoofing to display Apple’s legitimate customer support number.
Krebs on Security reported a series of attacks targeting Apple users, known as “MFA Bombing.” The attacks exploit a vulnerability linked to the phone number on file for the Apple account. Despite changing passwords and purchasing a new iPhone, victims continue to receive the same system alerts, suggesting a flaw in Apple’s system.
Apple has not publicly addressed this specific phishing campaign or the vulnerability in its system. The situation highlights the need for tech companies to reassess and fortify their authentication and notification systems against evolving phishing tactics.
The rise of “push bombing” attacks targeting Apple users underscores the importance of vigilance among users and the need for tech companies to continuously evolve their security measures. Both users and corporations must stay ahead of sophisticated phishing techniques to protect personal information and digital lives in the increasingly fraught digital landscape.
