New Push Bombing Attack Targets Apple Device Owners

Apple device owners appear to be targets of a new elaborate phishing scam that appears to exploit a flaw in its password reset feature.

The campaign was first reported by information security journalist, Brian Krebs, and involved Apple users being inundated with incessant password reset notifications in an intent to steal user data.

These push notifications or multi-factor authentication prompts enable the scammers to reset a victim’s Apple credentials and take over their iCloud accounts if approved (clicking the “Allow” option).

According to Krebs, the alerts themselves were not used to gain device access, rather the goal was to access the one-time verification code.

“Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code,” Kerb stated in the blog.

The blog shared several recent incidents where business and tech executives reported being targets of this campaign.

One of the potential targets, tech entrepreneur, Parth Patel in a thread on X (formerly Twitter) documented his experience of this “push bombing” or “MFA fatigue” (multi-factor authentication) attack.

He revealed that suddenly on March 23, his Apple devices (iPhone, Watch, and Mac) were bombarded with hundreds of password-reset notifications.

These system-generated prompts prevent Apple users from using the device unless it is dealt with. Parth, being wary of these alerts chose to dismiss them, which led to a fraudulent call by the scammers.

Claiming to be from Apple support team, the attackers in a failed attempt tried to trick him into sharing the one-time “verify” code, by using his information from a people-search website.

Kerb’s blog also cited few other instances where Apple owners recounted their experiences with similar phishing attempts.

Apple hasn’t issued any statements about the vulnerability, nor the number of users impacted by the incident. However, it does have a support article about protecting Apple account and devices from phishing attacks.