Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

Phishing attacks taking advantage of Apple's password reset feature have become increasingly common, according to a report from KrebsOnSecurity. Multiple Apple users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to cause panic so they'll respond favorably to social engineering.

reset password request iphone
An attacker is able to cause the target's iPhone, Apple Watch, or Mac to display system-level password change approval texts over and over again. Because the password requests target the Apple ID, they pop up on all of a user's devices. The notifications render all linked Apple products unable to be used until the popups are dismissed one by one on each device. Twitter user Parth Patel recently shared his experience being targeted with the attack, and he says he could not use his devices until he clicked on "Don't Allow" for more than 100 notifications.

The actual popup can't be used to gain access to an Apple device, and it serves as a front for attackers to incite fear in the target. Following the flood of notifications, the attacker calls using a spoofed number that makes it appear to be coming from Apple. On these calls, the attacker confirms that the victim's account is under attack, and that sensitive information is needed to put a stop to it. It appears that the attacker is after a one-time code to confirm a password reset or login attempt.

In Patel's case, the attacker was using information leaked from a people search website, which included name, current address, past address, and phone number, giving the person attempting to access his account ample information to work from. The attacker happened to have his name wrong, and he also became suspicious because he was asked for a one-time code that Apple explicitly sends with a message confirming that Apple does not ask for those codes.

The attack hinges on the perpetrator having access to the email address and phone number associated with an ‌Apple ID‌ at a minimum, and given the description of what's been happening, it is likely that bad actors also had access to the victim's ‌Apple ID‌ password from database leaks and other means. One-time codes are most often triggered as secondary security, so the attacker sends the notification spam, calls the target to "save" them from the attack, logs in to the ‌Apple ID‌ with the stolen information and password, and triggers the one-time code. If the target hands over the code at this point, the attacker will have full access to the ‌Apple ID‌.

KrebsOnSecurity looked into the issue, and found that attackers appear to be using Apple's page for a forgotten ‌Apple ID‌ password to send the notification spam. This page requires a user's ‌Apple ID‌ email or phone number, and it has a CAPTCHA. When an email address is put in, the page displays the last two digits of the phone number associated with the Apple account, and filing in the missing digits and hitting submit sends a system alert.

It is not clear how the attackers are abusing the system to send multiple messages to Apple users, but it appears to be a bug that is being exploited. It is unlikely that Apple's system is meant to be able to be used to send more than 100 requests, so presumably the rate limit is being bypassed.

Apple device owners targeted by this attack should remain calm and make sure not to provide sensitive information to someone who calls, even if the phone call appears to be coming from Apple. Spoofing a phone number is a simple thing to do, so the best course of action is to hang up and call Apple support directly. There is never a situation where a one-time code should be shared with another person, and Apple will never ask for a code.

Update: This article has been updated to clarify how the attack works. The prior version suggested that an ‌Apple ID‌ could be accessed should someone press "Allow" on one of the password request popups, but that is inaccurate. This is a complicated, multi-step attack that requires social engineering, but the password reset spam is a component that Apple will hopefully address in a future update.

Top Rated Comments

checker2010 Avatar
4 weeks ago

iCloud Lock was the worst thing Apple has done to the iPhone. Some people legit get permanently locked out of their own phones because of it.
Activation lock is a fantastic feature. I’d recommend everyone have it enabled.
Score: 50 Votes (Like | Disagree)
Realityck Avatar
4 weeks ago

When attackers are unable to get the person to click "Allow" on the password change notification, targets often get phone calls that seem to be coming from Apple. On these calls, the attacker claims to know that the victim is under attack, and attempts to get the one-time password that is sent to a user's phone number when attempting a password change.
Never trust a company to call you out of the blue! Just tell them you are hanging up and contacting that company directly.
Score: 41 Votes (Like | Disagree)
vegetassj4 Avatar
4 weeks ago
Thank my lucky stars Apple Security warned me before this exploit was used:



Attachment Image
Score: 34 Votes (Like | Disagree)
boswald Avatar
4 weeks ago
Oh, good grief. What a nasty attack. I will definitely make my family aware of this!
Score: 28 Votes (Like | Disagree)
whsbuss Avatar
4 weeks ago
And the DOJ and EU keep tearing down the Apple ecosystem. What insanity
Score: 28 Votes (Like | Disagree)
antiprotest Avatar
4 weeks ago

Oh, good grief. What a nasty attack. I will definitely make my family aware of this!
I wonder if it is something that can be fixed or limited on Apple's side. Sounds like it. They should do it TODAY.
Score: 22 Votes (Like | Disagree)

Popular Stories

iPhone 15 Pro FineWoven

Apple Reportedly Stops Production of FineWoven Accessories

Sunday April 21, 2024 6:03 am PDT by
Apple has stopped production of FineWoven accessories, according to the Apple leaker and prototype collector known as "Kosutami." In a post on X (formerly Twitter), Kosutami explained that Apple has stopped production of FineWoven accessories due to its poor durability. The company may move to another non-leather material for its premium accessories in the future. Kosutami has revealed...
maxresdefault

Apple Announces 'Let Loose' Event on May 7 Amid Rumors of New iPads

Tuesday April 23, 2024 7:11 am PDT by
Apple has announced it will be holding a special event on Tuesday, May 7 at 7 a.m. Pacific Time (10 a.m. Eastern Time), with a live stream to be available on Apple.com and on YouTube as usual. The event invitation has a tagline of "Let Loose" and shows an artistic render of an Apple Pencil, suggesting that iPads will be a focus of the event. Subscribe to the MacRumors YouTube channel for more ...
iOS 17 All New Features Thumb

iOS 17.5 Will Add These New Features to Your iPhone

Sunday April 21, 2024 3:00 am PDT by
The upcoming iOS 17.5 update for the iPhone includes only a few new user-facing features, but hidden code changes reveal some additional possibilities. Below, we have recapped everything new in the iOS 17.5 and iPadOS 17.5 beta so far. Web Distribution Starting with the second beta of iOS 17.5, eligible developers are able to distribute their iOS apps to iPhone users located in the EU...
Apple Vision Pro Dual Loop Band Orange Feature 2

Apple Cuts Vision Pro Shipments as Demand Falls 'Sharply Beyond Expectations'

Tuesday April 23, 2024 9:44 am PDT by
Apple has dropped the number of Vision Pro units that it plans to ship in 2024, going from an expected 700 to 800k units to just 400k to 450k units, according to Apple analyst Ming-Chi Kuo. Orders have been scaled back before the Vision Pro has launched in markets outside of the United States, which Kuo says is a sign that demand in the U.S. has "fallen sharply beyond expectations." As a...
Provenance Emulator

PlayStation and SEGA Emulator for iPhone and Apple TV Coming to App Store [Updated]

Friday April 19, 2024 8:29 am PDT by
The lead developer of the multi-emulator app Provenance has told iMore that his team is working towards releasing the app on the App Store, but he did not provide a timeframe. Provenance is a frontend for many existing emulators, and it would allow iPhone and Apple TV users to emulate games released for a wide variety of classic game consoles, including the original PlayStation, SEGA Genesis,...
apple vision pro orange

Apple Vision Pro Customer Interest Dying Down at Some Retail Stores

Monday April 22, 2024 2:12 am PDT by
Apple Vision Pro, Apple's $3,500 spatial computing device, appears to be following a pattern familiar to the AR/VR headset industry – initial enthusiasm giving way to a significant dip in sustained interest and usage. Since its debut in the U.S. in February 2024, excitement for the Apple Vision Pro has noticeably cooled, according to Bloomberg's Mark Gurman. Writing in his latest Power On...