Attackers are targeting Apple iPhone users in a wave of attacks Attacks on the Ministry of Foreign Affairs who use an incessant series of legitimate password reset notification alerts in what appears to be an attempt to take over their iCloud accounts. The activity focused attention on the evolving nature of so-called multi-factor authentication (MFA) bombing attacks.
A report by information security website KrebsOnSecurity first highlighted the campaign, which is aimed at business and technology executives. The report cited several people who had experienced these incidents recently. Some said they had tied received “vishing” phone calls. by individuals purporting to be Apple support personnel using a number that spoofed Apple’s official customer support line.
In conversations with Dark Reading, the researchers delved deeper into the activity, highlighting the new bombing tactics used in the campaign.
Password reset deluge
The wave of password resets and phone calls appeared to be a highly targeted attempt to trick victims into using their Apple devices to reset their Apple ID. One victim who interacted with alleged Apple customer support staff reported being surprised by most “totally accurate” information the attackers appeared to have on him as he tried to verify their credibility.
In another case, an individual reported that push notifications continued unabated even after he replaced his old phone with a new iPhone, changed his email address, and created a brand new iCloud account. Another victim reported that she also received password reset requests after enabling a recovery key for their Apple ID upon request from an Apple support engineer. Apple advertised the key, an optional feature, to help users better protect their accounts and to disable Apple’s standard password recovery processes.
The attacker’s apparent ability to send dozens of reset requests in a short period of time has raised some questions about a potential glitch in Apple’s password reset mechanism for iCloud accounts, such as a possible speed” which incorrectly allows spam-level volumes of spam. reset requests.
Apple has neither confirmed nor denied the reported attacks. Nor did he respond to Dark Reading’s question about whether the attackers were exploiting an undisclosed bug in the company’s password reset feature. Instead, a company spokesperson referred to a support article published by Apple on February 23 in which it offers advice to customers on how to locate and avoid phishing messages, fake support calls and other scams.
The spokesperson highlighted sections of the article related to attackers who sometimes use false caller ID information to spoof phone numbers and often claim suspicious activity on an account or device to trick users into taking unwanted actions. “If you receive an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, please hang up,” the warning reads.
MFA bombing: An evolving cyber tactic
Multifactor bombing attacks, also known as multifactor fatigue attacks, are a social engineering exploits where attackers flood a target’s phone, computer, or email account with push notifications to approve a login or password reset. The idea behind these attacks is to overwhelm a target with so many second factor authentication requests that they end up accepting one by mistake or because they want the notifications to stop.
Typically, these attacks involved the threat actors first illegally obtaining the username and password for the victim’s account and then using a bombing or fatigue attack to gain second-factor authentication for MFA-protected accounts. In 2022, for example, members of the Lapsus$ threat group obtained the VPN credentials of an individual working for an Uber third-party contractor. They then used the credentials to repeatedly try to access the contractor’s VPN account each time triggering a two-factor authentication request on the contractor’s phone, which the contractor ultimately approved. The attackers then used VPN access to breach several Uber systems.
The twist in the new MFA attacks targeting Apple users is that the attackers do not appear to use, or even require, any previously obtained usernames or passwords.
“In previous MFA attacks, the attacker would compromise the user’s password via phishing or data leak and use it multiple times until the user confirmed the MFA push notification,” says security researcher Matt Johansen. “In this attack, all the hacker has is the user’s phone number or email address associated with an iCloud account and is exploiting the flood of ‘forgot password’ requests on the user’s trusted device to allow your password to be reset.”
Password Reset contains a CAPTCHA to help limit reset requests, Johansen says. But attackers seem to be able to easily circumvent this obstacle, she notes. The fact that the threat actors are spoofing the legitimate Apple Support phone number and calling the user at the same time as the MFA bombing is another notable difference.
“So, the user is agitated that their device is exploding in MFA requests and they get a call from a legitimate Apple number saying they are here to help, just let them know what code was sent to their phone. I guess this It’s a tactic with a very high success rate.”
Based on the information available about the attack, it is likely that the threat actors are targeting high-net-worth individuals, Johansen adds. “I suspect that, judging from initial reports, the crypto community would be the hardest hit,” he says.
Jared Smith, a distinguished engineer at SecurityScorecard, says it’s likely that the attackers are simply filling Apple’s password reset forms with credentials using known Apple iCloud/Me.com email addresses.
“It would be the equivalent of going to at your place.”
He says Apple is likely looking into mass notifications that are triggered and considering more stringent rate limiting and distributed denial-of-service (DDoS) protection mechanisms.
“Even though threat actors are using better proxy servers that offer residential IPs, they still appear to be sending such a large volume of attempts that Apple may want to add even more aggressive CAPTCHAs” or content delivery network (CDN)-based protection , says Smith.
“Reject by default”
It is becoming clear that stronger authentication beyond MFA is needed to protect devices, as attackers find new ways to bypass it. For example, threat actors are currently targeting Microsoft 365 and Gmail email accounts with phishing campaigns using a Phishing-as-a-Service (Phishing-as-a-Service) kit to bypass MFA distributed via Telegram called Tycoon 2FA is gaining considerable popularity.
Additionally, vishing itself is becoming a problem global cybercrime pandemic, with highly skilled and organized actors around the world targeting people with knowledge of their personal data. In fact, a report released today by Hiya found that 28% of all unknown calls in 2023 were fraud or spam, with an average loss of $2,300 per user for those who lost money to these attacks.
The MFA bombing and similar attacks “are a stark reminder that phishers are increasingly finding creative ways to exploit human nature to access people’s valuable accounts, at work and at home,” notes Anna Pobletts, head of passwordless at 1Password.
It suggests a “reject by default” approach to any phone call or other type of message or alert that “seems the least bit unusual,” such as an unsolicited call from customer service, even if it appears to come from a trusted entity.
However, this advice is not the optimal solution as it “places the burden of security on users,” says Pobletts. In fact, the ultimate solution for attackers to bypass MFA may be to use it access keys, that combat phishing attacks like MFA bombing by eliminating the use of credentials, which are “the reward hackers are ultimately after,” he says.
However, until passkeys are adopted, companies will need to fill the gap to “quickly address vulnerabilities and improve authentication methods and recovery flows,” adds Pobletts.
For iPhone users who want to avoid being targeted by the current wave of MFA bombings, KrebsOnSecurity has suggested that they can change the phone number associated with their account to a VoIP number, such as that of Skype or Google Voice, to prevent attackers can access it. to their iPhone number and thus targeting them. This will also disable iMessage and FaceTime on the device, which “could be a boon for those concerned about reducing the overall attack surface of their Apple devices,” the site added.