iPhone users are currently grappling with a surge in iCloud password reset notifications, signaling a concerning phishing attack campaign targeting Apple ID accounts. As reported by MacWorld, numerous users have fallen victim to this scheme, where malicious actors inundate devices with repeated requests for password resets, leading to confusion and potential inadvertent disclosure of sensitive credentials.
iPhone users receive hundreds of password reset requests
Dubbed ‘MFA Bombing’ by Krebs on Security, this attack exploits a vulnerability within Apple’s password reset mechanism, allowing perpetrators to dispatch authentic-looking notifications to all devices linked to the targeted Apple ID. Remarkably straightforward, this tactic necessitates only the victim’s phone number and email address for execution. Attackers persistently prompt password resets, banking on the likelihood of users succumbing to the ploy by clicking on the notifications and unwittingly authorizing the password change request.
Subsequently, victims may receive fraudulent calls purportedly from Apple support, alleging account compromise and soliciting a one-time verification code (OTP). Armed with this code, perpetrators can execute the password reset, thereby compromising the Apple ID and potentially pilfering personal or financial data. Reports indicate that some users have encountered similar warnings on their Apple Watch, with the added precaution of enabling a recovery lock for their Apple ID proving ineffective against these falsified notifications.
As of now, Apple has yet to furnish a definitive remedy for this burgeoning issue. In light of these developments, users are urged to exercise utmost vigilance regarding password reset messages and refrain from divulging OTP verification codes to any party.