/Thriveon_logo_IT.svg "Thriveon_logo_IT.svg"){kind=logo}
Several Apple users have reported they are targets in a sophisticated phishing scam that involves an alleged bug in Apple’s password reset feature. These attacks, called “MFA bombing,” “push bombing” or “MFA fatigue,” have overwhelmed users in an attempt to hack into their account.
These attackers are targeting accounts that are protected by multi-factor authentication, which normally offers an extra layer of security against cyber attacks. However, these attacks are an example of scammers trying to find new, creative ways to work around security measures to exploit victims, showing that they can exploit vulnerabilities in MFA systems.
Read: The Best Practices Against Cyber Attacks
How Does MFA Bombing Work?
A targeted Apple device is bombarded by dozens, if not hundreds, of seemingly system-level prompts asking them to reset their password. This stream of prompts is arriving every few seconds, overwhelming the victim. These push notifications also stop the device from being accessed until the user chooses “allow” or “don’t allow” on each prompt, which can make it frustrating for users who need their devices.
The hacker hopes that the user will hit the wrong button or get tired and choose “allow” to make the bombarding stop. By hitting “allow,” the attacker has a chance to take over the Apple account, which can affect any devices linked to that account.
If the victim refrains from hitting “allow,” the hacker will eventually call the victim. However, they use a spoofed number that makes it seem like they are calling as an Apple support representative. The scammer says that the victim’s account is under attack and that Apple needs to verify or reset the account with a one-time code.
The goal is to get the victim to reveal the one-time code so the attacker can then reset the account’s password and lock the victim out. They can also wipe all of the devices connected to the account.
By overwhelming victims, attacks can eventually coerce victims into inadvertently approving access to their accounts, bypassing security measures and giving the scammers easy access.
How to Protect Against MFA Bombing Attacks
Apple has not yet confirmed or denied if the MFA bombing is due to a bug. However, they have stressed to customers that Apple will never initiate a call with a customer unless the customer requests the call first.
By staying informed, maintaining a heightened sense of awareness and implementing recommended security measures, Apple users can take proactive steps to effectively protect their sensitive information from falling into the wrong hands. Here are some ways to try and protect yourself against these attacks:
- Develop a “decline by default” mindset: Any unsolicited phone calls or texts should be denied. If you think you are receiving communication from a trusted entity, stop responding and reach out to that entity yourself.
- Develop strong, complex passwords: Every account should have a strong, complex password. Each password should be at least 19 characters long with a combination of upper and lowercase letters, numbers and symbols. Change these passwords every three months or so. You can also set up passkeys instead of passwords.
- Keep antivirus and antimalware software updated: Keep the antivirus and antimalware software on your devices updated. These updates release security patches that can help catch cyber threats.
- Limit MFA approvals to trusted devices: Setup MFA on trusted devices so you can keep track of what devices have MFA. Also, never share a one-time code with anyone, no matter who is asking for it.
Thriveon Can Help Fight Social Engineering Scams Like MFA Bombing
Instead of worrying about the next social engineering scam and if your company can fall victim to it, let a managed service provider like Thriveon erase those worries and fears.
Our fractional chief information officers (CIOs) offer robust cybersecurity services that keep your sensitive data safe while also meeting cybersecurity compliances.
Schedule a meeting now for more information on our services.
