Suspected MFA Bombing Attacks Target Apple iPhone Users

Attackers are targeting Apple iPhone users with a rash of MFA bombing attacks that use a relentless series of legitimate password-reset notification alerts in what appears to be an attempt to take over their iCloud accounts. The activity has focused attention on the evolving nature of so-called multifactor authentication (MFA) bombing attacks.

A report by information security website KrebsOnSecurity first highlighted the campaign, which is targeting business and tech execs. The report quoted multiple individuals who had experienced these incidents recently. A few said they had even received "vishing" phone calls from individuals purporting to be Apple support staff using a number that spoofed Apple's official customer support line.

In conversations with Dark Reading, researchers delved into the activity, highlighting concerning new bombing tactics being used in the campaign.

Password Reset Flood

The password reset flood and phone calls appeared to be a highly targeted attempt to trick victims to use their Apple devices to reset their Apple ID. One victim who engaged with the supposed Apple customer support staff reported being startled by the mostly "totally accurate" information that attackers appeared to have about him as he tried to vet their credibility.

In another instance, an individual reported the push notifications as continuing unabated even after he swapped his old phone for a new iPhone, changed his email address, and created a brand-new iCloud account. Another victim recounted receiving the password reset requests even after enabling a recovery key for their Apple ID at the request of an Apple support engineer. Apple has touted the key — an optional feature — as helping users better secure their accounts and as turning off Apple's standard password recovery processes.

The attacker's apparent ability to send dozens of reset requests in a short period of time prompted some questions of a potential glitch in Apple's password reset mechanism for iCloud accounts, such as a possible "rate-limit" problem that incorrectly allows spam-level volumes of reset requests.

Apple did not confirm or deny the reported attacks. Neither did it respond to Dark Reading's question on whether the attackers might be leveraging an undisclosed bug in the company's password reset feature. Instead, a company spokesman pointed to a support article that Apple published on Feb. 23 offering advice to customers on how to spot and avoid phishing messages, phony support calls, and other scams.

The spokesman highlighted sections of the article pertaining to attackers sometimes using fake Caller ID info to spoof phone numbers and often claiming suspicious activity on an account or device to get users to take some unwanted action. "If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up," the advice noted.

MFA Bombing: An Evolving Cyber Tactic

Multifactor bombing attacks — also known as multifactor fatigue attacks — are a social engineering exploit in which attackers flood a target's phone, computer, or email account with push notifications to approve a login or a password reset. The idea behind these attacks is to overwhelm a target with so many second-factor authentication requests that they eventually accept one either mistakenly or because they want the notifications to stop.

Typically, these attacks have involved the threat actors first illegally obtaining the username and password to a victim account and then using a bombing or fatigue attack to obtain second-factor authentication to accounts protected by MFA. In 2022, for instance, members of the Lapsus$ threat group obtained the VPN credentials for an individual working for a third-party contractor for Uber. They then used the credentials to repeatedly try and log in to the contractor's VPN account triggering a two-factor authentication request on the contractor's phone each time — which the contractor ultimately approved. The attackers then used the VPN access to breach multiple Uber systems.

The twist in the new MFA bombing attacks targeting Apple users is that the attackers don't appear to be using — or even requiring — any previously obtained username or password.

"In previous MFA bombing, the attacker would have compromised the user's password either via phishing or data leak and then used it many times until the user confirmed the MFA push notification," security researcher Matt Johansen says. "In this attack, all the hacker has is the user's phone number or email address associated with an iCloud account and they're taking advantage of the 'forgot password' flow prompting on the user's trusted device to allow the password reset to go through."

The password reset has a CAPTCHA on it to help rate limit the reset requests, Johansen says. But it appears the attackers are easily bypassing that, he notes. The fact that the threat actors are spoofing the legitimate Apple Support phone number and calling the user at the same time as the MFA bombing is another notable difference.

"So, the user is flustered with their device blowing up in MFA requests and they get a call from a legitimate Apple number saying they're here to help, just let them know what code they got sent to their phone. I'm guessing this is a very high success-rate tactic."

Based on available information on the attack, it is likely that the threat actors are going after high net-worth individuals, Johansen adds. "I suspect the crypto community would be hardest hit, from initial reports," he says.

Jared Smith, distinguished engineer at SecurityScorecard, says it's likely the attackers are simply credential stuffing Apple’s reset password forms using known Apple iCloud/Me.com email addresses.

"It would be the equivalent of me going to X/Twitter and plugging your personal email into the reset password form, hoping or knowing you use it for Twitter, and either annoying you or, if I was smart, having some way to get the reset codes from you." 

He says it's likely that Apple is examining the mass notifications being triggered and considering more stringent rate limiting and distributed denial-of-service (DDoS) protection mechanisms. 

"Even if the threat actors are using better proxy servers that offer residential IPs, they still seem to be sending such a large volume of attempts that Apple may want to add even more aggressive CAPTCHAs" or a content delivery network (CDN)-based protection, Smith says.

"Decline by Default"

It's becoming abundantly clear that stronger authentication beyond MFA is required to secure devices as attackers find new ways to bypass it. For instance, threat actors are currently targeting Microsoft 365 and Gmail email accounts with phishing campaigns using an MFA-bypass phishing-as-a-service (PhaaS) kit distributed via Telegram called Tycoon 2FA that's gaining significant traction.

Moreover, vishing itself is becoming a global cybercriminal pandemic, with highly skilled and organized actors across the world targeting people with knowledge of their personal data. In fact, a report published today by Hiya found that 28% of all unknown calls in 2023 were fraud or spam, with an average loss of $2,300 per user for those who lost money to these attacks.

MFA bombing and similar attacks "are a tough reminder that phishers are increasingly finding creative ways to exploit human nature to access people’s valuable accounts, at work and at home," notes Anna Pobletts, head of passwordless at 1Password.

She suggests a "decline by default" approach to any phone call or other type of message or alert that "seems the slightest bit unusual," such as an unsolicited call from customer service, even if it seems to come from a trusted entity.

Still, this advice isn't the optimal solution as it "puts the burden of security on users," Pobletts says. Indeed, the ultimate solution to MFA bypass by attackers may be in using passkeys, which combat phishing attacks like MFA bombing by eliminating the use of credentials, which are "the reward that hackers are ultimately after," she says.

However, until passkeys gain adoption, companies will have to pick up the slack to "rapidly address vulnerabilities and improve their authentication methods and recovery flows," Pobletts adds.

For iPhone users who want to avoid being targeted by the current spate of MFA bombing, KrebsOnSecurity suggested that they can change the phone number associated with their account to a VoIP number — such as one from Skype or Google Voice — to avoid having attackers having access to their iPhone number and thus targeting them. This also will disable iMessage and Facetime on the device, which "might a bonus for those concerned about reducing the overall attack surface of their Apple devices," the site added.