Apple Users Flooded with Unrelenting Phishing Prompts

Apple users are becoming targets of a phishing scheme exploiting apparent lapses in Apple's password reset functionality, including the lack of rate-limiting safeguards. Brian Krebs reports the issues and is supported through anecdotes shared by victims. These individuals report a barrage of system-level prompts for password resets, severely disrupting device usability until each alert is addressed. Entrepreneur Parth Patel, working in the AI space, shared his ordeal, describing an onslaught of reset notifications across all his devices within moments.

The technique, known as "push bombing" or "MFA fatigue," aims to exhaust users into inadvertently approving malicious requests. After rejecting these continuous prompts, victims like Patel received calls from fraudsters impersonating Apple Support, employing caller ID spoofing for legitimacy, and further attempting to phish for sensitive information. Concerns of safeguarding one's own data privacy are also brought to light as Patel identified the scammers obtained his data from "People Data Labs" albeit some inaccuracies in the data were identified.

Additional accounts from individuals such as Chris, a cryptocurrency hedge fund owner, and Ken, a security industry veteran, reinforce the gravity of this phishing campaign and the persistence of its perpetrators. Chris shared his ordeal of being flooded with alerts, compelling him to reject a barrage of password reset notifications. His issue persisted even after acquiring a new iPhone and iCloud account, indicating that the attackers' methods were unaffected by changes to his digital setup. This persistence hints at a crucial aspect of the scam: the attackers' knowledge of the victims' phone numbers. Despite setting up a new device and account, Chris's encounter with continuous prompts suggested that the scammers' ability to trigger these alerts was linked to the phone number associated with the Apple account—the only unchanged detail in his new setup.

Ken's incident occurred at night, exploiting the possibility of accidental approval. A strategy behind MFA fatigue attacks includes targeting users during late hours or sleep, leveraging their diminished alertness to trigger accidental acceptance of prompts. Despite attempts to secure their accounts, including the implementation of an Apple Recovery Key as suggested by Apple Support, the victims continued to receive unauthorized prompts.

This issue exemplifies an oversight in Apple's system design, particularly the lack of rate limiting for password reset requests. Krebs calls for the implementation of rate limits not just for password changes but for all system prompts, referencing an issue labeled "AirDos" by security researcher Kishan Bagaria. This flaw allows an attacker to flood iOS devices with numerous prompts through the AirDrop feature. These issues detailed by security experts and victims urge Apple to rectify this vulnerability, which enables attackers to inundate users with relentless system alerts without any constraints.