Apple users are being warned to watch out for an elaborate phishing attack in which scammers use recurring password reset requests and social engineering to attempt to gain access to Apple ID accounts.
The attack can also involve calls from a spoofed phone number purporting to be a legitimate call from Apple Support.
Security journalist Brian Krebs first reported on the experience of tech entrepreneur Parth Patel, who posted on X in March about managing to fend off such an attack.
Patel said he believed scammers collected data such as his email address and phone number using open-source intelligence (OSINT) and people data aggregators in order to spam his Apple ID account with multi-factor authentication (MFA) password reset requests through Apple’s website.
“Because these are Apple system level alerts, they prevent me from using my phone, watch, or laptop until I clicked ‘Don’t Allow’ to 100+ notifications,” he said.
“At this point I figured I was either pwned or someone was attempting to pwn me.”
While tapping Allow won’t grant immediate access to an account, the repeated device notifications appear to be a way to create fear before scammers call potential victims pretending to be from Apple Support.
The attackers made a led high effort focused attack on me, using OSINT data from People Data Labs and caller ID spoofing.
— Parth (@parth220_) March 23, 2024
First, around 6:36pm yesterday all of my Apple devices started blowing up with Reset Password notifications.
Because these are Apple system level alerts,… pic.twitter.com/vX1AZvoVoN
Patel wrote that he received a call which appeared to be from an Apple Support number, in which the caller claimed Patel was being attacked and needed to verify a One Time Password (OTP) sent to his device.
But Patel said he was “obviously still on guard” and asked the caller to confirm more personal information before answering any questions.
“They got a lot right, from DOB, to email, to phone number, to current address, historic addresses,” he said — but they provided an incorrect first name, which was a red flag.
Patel said he had also been tipped off that his data had been taken from a people-search website.
He said he received a One Time Password over text message, but didn’t share it with the scammers.
If he did supply the code, attackers could potentially access his Apple ID account and lock him out.
Following his experience, Patel told his followers: “If you haven’t already, I’d highly suggest scrubbing yourself from people data aggregators.”
Other social media users have also reported being targeted by similar attacks.
Apple says ‘just hang up'
The attacks have raised concerns over potential bugs in Apple’s password-reset system, which appears to have allowed scammers to bombard some users with notifications to frighten them into action.
Apple’s site requires a user’s email address or phone number and a successful CAPTCHA test to send a password reset request.
Professor of Cyber Security at Edith Cowan University, Paul Haskell-Dowland, told Information Age, “the challenge for Apple is to fix the underlying mechanism that supports so many password reset challenges in the first place, and to find a way to communicate the scam to users that doesn’t make the problem worse — and to avoid any reputational damage as a consequence.”
Apple did not respond to a request for comment, but the company’s support site says if users are suspicious of unsolicited communications, “it's safer to presume" it is a scam and contact the company directly.
“Scammers use fake Caller ID info to spoof phone numbers of companies like Apple and often claim that there's suspicious activity on your account or device to get your attention,” Apple says.
“Or they may use flattery or threats to pressure you into giving them information, money, and even Apple gift cards.
“If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up.”
Apple says users can also set up a recovery key or recovery contact, which can help them regain access to their account if they are ever locked out.
Prof Haskell-Dowland says while users should always be suspicious of unsolicited communications, the criminals behind such scams “are very capable, motivated and determined”, and victims can be “of all ages and every conceivable demographic”.
“By reporting incidents we increase the potential for the scams to be blocked, crimes to be investigated, and at least an opportunity to recover any losses,” he says.