A new fraud has been devised by hackers to exploit a perceived vulnerability in Apple’s password reset tool, potentially resulting in the inability to use one’s iPhone if caution is not exercised.
According to Krebs on Security, the assault starts with a solitary Reset Password message on a high-quality iPhone, subsequently followed by several analogous requests. The assault is especially bothersome due to the need for targeted users to react with “Don’t Allow” to each individual popup.
If they fail to do so, these alerts will persist, thereby rendering your iPhone ineffective. Another concern that arises is the possibility of some victims inadvertently selecting the “Allow” button instead of the “Don’t Allow” one. In the event of this occurrence, the perpetrators of this cyber assault would possess full authority over your Apple account subsequent to the password reset.
Below is a comprehensive overview of the recent reset password assault, accompanied by a set of precautionary measures to ensure your safety.
Shifting from push bombing to phone phishing
Entrepreneur Parth Patel provided a comprehensive firsthand narrative of the assault in a post on X, accompanied by screenshots. Patel elucidated that he and other business founders were subjected to a collective assault, prompting him to initiate the thread in the first instance.
This kind of attack is often referred to as “push bombing” or “MFA fatigue” due to the fact that the individuals responsible for it exploit a specific feature or vulnerability inside a company’s multi-factor authentication (MFA) system.
Due to Patel’s thorough engagement with the Apple ecosystem, he began to see password reset alerts on his wristwatch, laptop, and mobile device. The most distressing aspect is that he was unable to do any other actions on his phone until he manually disregarded all of these alerts consecutively.
Another significant issue is that some iPhone users may just touch the “Allow” button in order to get access to their devices. Nevertheless, engaging in such an action would provide the perpetrators of this cyber assault unrestricted entry to your Apple account, thus rendering them unable to access it.
Although Patel believed that the assault had concluded with the dismissal of several password reset notices, the hackers responsible for this campaign had devised an additional strategy. The individual received a telephone call purporting to be from Apple service, using the telephone number 1-800-275-2273, which corresponds to the official customer service line of the iPhone manufacturer.
Given his status as a high-value target, Patel exhibited a heightened level of suspicion upon answering the phone. Subsequently, he requested the person on the other end of the phone to authenticate some details pertaining to himself. To his astonishment, following a period of assertive typing on their part, they successfully accomplished this task. However, a crucial aspect that remained unverified was the true identity of Patel, which served as a conspicuous indication that he was engaging in conversation with hackers rather than a customer care person affiliated with Apple.
The individuals responsible for the hack are presumed to have obtained Patel’s personal information from a people-search website, given the name they offered was one that he had only encountered on the platform PeopleDataLabs. Hence, it is advisable to restrict the extent to which one’s personal information is accessible on the internet.
How to stay safe from advanced phishing attacks
Although the feasibility of this password reset assault as a result of a fault in Apple’s password reset tool remains uncertain, it is very probable. Tom’s Guide has contacted Apple and received information from the firm about how iPhone owners may protect themselves against these and similar assaults.
To begin with, the iPhone manufacturer provides a valuable help website that has comprehensive information on addressing phishing and other fraudulent activities. Apple advises you to promptly notify the firm at its [email protected] email address if you come across any phishing efforts. Similarly, a corporate spokeswoman advised consumers who have received a fraudulent phone call, similar to the one mentioned above, to report such incidents on the FTC’s website.
In the event that one becomes the victim of this assault, it is imperative to refrain from selecting the “Allow” option for any of the password reset alerts. Disregarding each of these issues individually may be both vexing and laborious. However, failing to do so will result in the unusability of your iPhone, while selecting the “Allow” option would provide the hackers responsible for this campaign full authority over your Apple account.
If you get a phone call from an individual purporting to be from Apple Support, refrain from divulging any personal details. Alternatively, it is advisable to emulate Patel’s approach by seeking confirmation from the individual in question on the information they possess about you. Nevertheless, the probability of Apple Support contacting you unexpectedly is quite low, and in the event that they do, they would never solicit your password or any other sensitive details over telephone.
Further information on this password reset assault is expected to be available after Apple has created a solution. However, in the meanwhile, it is advisable to keep your iPhone in close proximity and exercise caution when receiving a password reset message.
