Recently, a new cybersecurity problem targeting Apple users has emerged: the “MFA Bombing” attacks. These phishing attempts exploit the Multi-Factor Authentication (MFA) system, focusing on the Apple ID password reset feature. By overwhelming users with password reset notifications, attackers aim to breach personal security defenses.
What is MFA Bombing
Many Apple users have experienced the disruptive nature of MFA Bombing firsthand. Reports indicate individuals receiving continuous Apple ID password reset notifications, creating a significant disruption to their device usage. This relentless stream of alerts has a simple goal: to cause confusion, frustration, and, as a result – accidental approval of authentication requests.
Last night, I was targeted for a sophisticated phishing attack on my Apple ID.
This was a high effort concentrated attempt at me.
Other founders are being targeted by the same group/attack, so I’m sharing what happened for visibility.
🧵 Here’s how it went down:
— Parth (@parth220_) March 23, 2024
At its core, MFA Bombing is a phishing strategy that manipulates the Multi-Factor Authentication (MFA) process. Attackers make use of Apple’s password reset system for Apple IDs, bombarding users with a flood of authentication requests. Although sounds similar in nature – this is not a brute force attack, rather, it’s designed to confuse and wear down the user, hoping they’ll accidentally approve a request, granting the attacker access. These attacks exploit the trust users place in MFA, turning a security measure into a potential vulnerability.
The mechanism behind MFA Bombing attacks involves exploiting Apple’s password reset function. Attackers initiate multiple password reset requests for a targeted Apple ID, triggering a flood of MFA prompts to the user’s devices. It is not yet known what allows attackers to send multiple requests in a short period, but it may be a bug that’s being exploited.
What to Do?
The ability to even start the attack largely depends on the attacker’s ability to access the email address and phone number linked to the Apple ID. Without this access, it’s impossible to initiate the MFA Bombing process. And where do attackers get this info? Most likely they use information previously leaked in data breaches. So while there’s no real way to counteract these attacks, you can at least try to prevent them from happening – just be cautious of phishing attempts seeking to gather personal information – don’t trust your email and phone number to unverified sites, and double-check if you’re talking with real Apple Support. Regularly monitoring account activity can also help detect unauthorized attempts early.
Also, note that enabling a recovery key won’t solve the issue – KrebsOnSecurity tested and confirmed that enabling a recovery key does nothing to stop a password reset prompt from being sent to your devices.
“Apple’s “forgot password” page will send a system alert, whether or not the user has enabled an Apple Recovery Key.” – they write.
Looking Ahead
And that’s a wrap! Just remember, the world is always on the move, and so are the folks looking to stir up trouble. But, remember, we’re all in this together. We’ll keep you posted with such important matters to keep you a step ahead. So, till next time, take care, stay alert, and let’s keep each other in the loop. Catch you in the next update!
