Think Twice Before Hitting ‘Allow’ on Your iPhone—It Could Be a Scam
A new Apple ID spearphishing campaign that uses "push bombing" or "MFA Bombings" has been targeting several tech professionals over the last few weeks. The core concept of the scam involves bombarding the victim's phone with numerous push notifications, commonly referred to as Multi-Factor Authentication (MFA) notifications. The aim is to induce the victim to inadvertently grant permission by selecting "Allow" instead of "Don't Allow" at least once.
Tech professional Parth Patel recently shared his encounter with a scam on X, recounting the onslaught of push notifications across all his Apple devices. These notifications suspiciously requested permission to reset his Apple ID password, raising red flags. What alarmed him most was that these notifications appeared to be "system-level notifications."
Patel found himself bombarded with over 100 push notifications. After clearing them, he received a call from a fake caller ID posing as Apple's legitimate support line, asking for an OTP sent to his phone. To his dismay, the caller possessed accurate personal details, including his date of birth and current address, obtained from a "people search" site called People Data Labs.
Last night, I was targeted for a sophisticated phishing attack on my Apple ID.
— Parth (@parth220_) March 23, 2024
This was a high effort concentrated attempt at me.
Other founders are being targeted by the same group/attack, so I’m sharing what happened for visibility.
🧵 Here’s how it went down:
A separate report from Krebs on Security highlighted similar encounters involving cryptocurrency hedge fund owners and security industry experts. They too fell victim to the scam, emphasizing that the issue was related to their Apple accounts rather than specific devices.
"If you haven’t already, I’d highly suggest scrubbing yourself from people data aggregators such as People Data Labs, Spokeo, Pimeyes, Social Catfish, and others," Patel wrote in a follow-up post. Currently, there's no way one can avoid this scam apart from hitting "Don't Allow" every time the notification appears.
As of now, there haven't been any public reports of individuals succumbing to the Apple ID password reset scam. However, should you inadvertently grant permission by clicking "allow" on the push notification, it could result in permanent loss of access to your iCloud account. This scenario enables a successful attacker to seize control of your photos, and contacts, and even remotely erase your device.
In a particular case mentioned by AppleInsider, a target received guidance from a senior Apple engineer to activate an Apple Recovery Key as a precautionary measure. This key, comprising a 28-character code, serves as a safeguard against the standard account recovery process, providing an avenue for future account retrieval.
Shoutout to @briankrebs for covering the Apple ID MFA fatigue attacks!
— Parth (@parth220_) March 26, 2024
If you haven’t already, I’d highly suggest scrubbing yourself from people data aggregators such as People Data Labs, Spokeo, Pimeyes, Social Catfish, and others. https://t.co/QwK8sCF4CU
This isn't the first time Apple has confronted such an attack. In 2019, a bug dubbed "AirDoS" emerged, enabling attackers to inundate nearby iOS devices with incessant prompts to share a file via AirDrop. The Cupertino giant eventually resolved the issue through its iOS 13.3 update.
Now, with reports circulating about the company's emphasis on integrating AI into their upcoming iOS 18, it raises curiosity about potential advancements in screening and addressing such vulnerabilities. It remains to be seen whether Apple will leverage AI to implement more effective measures for identifying and mitigating these types of security threats.
This strategic shift towards AI in iOS 18 could mark a significant step forward in fortifying Apple's ecosystem against emerging cyber threats.