News

MFA Fatigue Attacks Targeting iPhone Users

By Jeff Butts

Published March 27, 2024

A growing number of iPhone users are experiencing MFA fatigue attacks attempting to take over their Apple accounts.

If you’ve had an Apple device for more than a few months, you’re probably used to your iPhone prompting you for your Apple ID password once in a while. You might even go ahead and input that password without thinking twice. That’s a bad idea, actually. A recent string of MFA fatigue attacks is hitting iPhone users, bombarding them with password reset prompts that could easily compromise their Apple accounts.

What’s a MFA Fatigue Attack?

If you’ve been reading groovyPost for a while, you’ve likely seen us discuss 2FA and MFA. These stand for, respectively, two-factor authentication and multi-factor authentication. They’re a second line of defense for your online accounts, requiring you to give more than just your username and password to log in.

You may use an authenticator app, for example. Maybe you have a special USB key that you need to plug in for a login. In other cases, you’ll receive a code via SMS message.

In an MFA attack, bad actors will bombard you with MFA requests. The hope is that you’ll fall for at least one of them. In one recent attack documented by Parth Patel on X (formerly known as Twitter), Patel was hit with more than 100 push notifications prompting him to reset his Apple ID password.

A ‘Bug in Apple’s Systems’ Allowing Push Bombing Attacks

According to Krebs on Security, it’s a bug in Apple’s password reset feature that’s allowing these phishing attempts to work their magic. The target’s Apple devices, whether an iPhone, iPad, Apple Watch or Mac computer, are forced to show a potential victim dozens of push notifications.

Apple ID password reset push notifications on an iPhone (Image courtesy Parth Patel)

These notifications stop you from using your device until you respond “Allow” or “Don’t Allow.” You might think that denying enough of them would trigger the attacker to give up, but that’s not the case.

Apple ID password reset dialog on an iPhone (Image courtesy Parth Patel)

After denying more than a hundred of the push notifications, Patel got a phone call. That phone call spoofed Apple’s customer support line, 1-800-275-2273. It was not, however, Apple calling — it was someone behind the phishing attack making one more effort to get access to Patel’s account.

As a matter of fact, such phone calls are completely against Apple’s support policy. The tech giant will never initiate an outbound call to you unless you ask Apple to contact you.

What To Do If Faced with a MFA Attack

We’re always vigilant with our online security, and so should you be. If you fall prey to one of these MFA fatigue attacks, here’s what you should do.

1. Make sure you deny each and every password reset prompt unless you did, in fact, attempt to reset your password.
2. If you receive a phone call claiming to be from Apple, go ahead and pick up the call. Inform the “representative” that you will call them back and hang up.
3. Call Apple’s support line and inform them you may be undergoing a push bombing attack. The customer service rep should be able to confirm whether the call truly came from Apple or not.

Apple has not yet responded to requests for comment on the issue, but the company is usually quick to address exploits when they appear. Such attacks were used against Cisco, Microsoft, and Uber in past years, and those tech giants all responded swiftly to “plug the hole.”

I expect Apple to do likewise, either by rate-limiting the password reset push notifications so they don’t flood a user or by requiring some sort of additional verification before sending the notification.