KrebsOnSecurity reports phishing attacks on Apple users exploiting a password reset vulnerability. Users receive numerous pop-up messages prompting password changes and fake calls for special codes. Affected individuals shared how the onslaught of alerts rendered their devices unusable, with up to 100 messages.
Phishing Scam Tactics Exploiting Apple Support and Personal Data
- Following multiple password reset requests, targets receive calls seemingly from Apple’s support line.
- Scammers, potentially sourcing personal details from people-search websites, aim to extract Apple’s one-time reset code.
- If victims provide the code, attackers seize control of accounts, alter passwords, and wipe data from all linked devices.
- An iPhone user encountered similar issues on a new device and iCloud account after password changes, suggesting attackers only required the associated phone number to trigger notifications.
A second victim of the attack shared that he was startled awake in the middle of the night by an Apple Watch notification, nearly leading to inadvertent authorization of the reset request. While Apple has remained silent on the attacks, Kishan Bagaria, a software engineer who previously flagged a similar issue in 2019, suggests that the problem with Apple’s password reset system could lie in its rate-limiting capability, potentially failing to control the influx of alerts sent within a brief timeframe.
Guidelines for Apple Users to Safeguard Against Phishing
- Vigilance is paramount regarding unexpected password reset notifications or support calls for Apple users.
- Although activating an Apple Recovery Key could provide assistance, it may present inconvenience.
- The crucial measure is to abstain from disclosing one-time passcodes to any individual, including those purporting to represent Apple or other entities, as genuine support personnel refrain from soliciting such data.