1. Home
  2. General
  3. iPhone Users Are Under Threat of New "Password Reset" Attacks - How to Stay Safe
iPhone Users Are Under Threat of New "Password Reset" Attacks - How to Stay Safe

iPhone Users Are Under Threat of New "Password Reset" Attacks - How to Stay Safe

Hackers have figured out how to exploit what appears to be a bug in Apple's password reset feature.

As reported by Krebs on Security, the attack begins with a single password reset notification on the best iPhone, followed by dozens of similar prompts. What makes this attack particularly troubling is the fact that the targeted user must respond to each individual prompt with "do not allow."

If you do not, these notifications will not go away, effectively rendering your iPhone unusable. Another thing to worry about is that the victim may accidentally press the "Allow" button instead of the "Do Not Allow" button. In this case, the hacker behind this attack could take complete control of your Apple account after resetting your password.

If you own multiple Apple devices, this attack becomes even more tricky because these prompts appear on all of them. For example, a potential victim named Ken, interviewed by Krebs on Security, stated that such a prompt appeared on his Apple Watch and he had to scroll down to hit the "do not allow" button.

Below is everything you need to know about this new reset password attack and some steps you can take to stay safe.

Entrepreneur Perth Patel detailed his own experience with this attack in a post to X and included screenshots. Patel explained that he and other startup founders have been "targeted by the same group/attack," which is what prompted the thread in the first place.

This type of attack is known as "push-bombing" or "MFA fatigue," and the cybercriminals behind it exploit either a feature or a weakness in a company's multi-factor authentication (MFA) system.

Patel is so fully invested in the Apple ecosystem that it has begun seeing these password reset notifications on watches, laptops, and phones. Worst of all, he could not do anything else with his phone until he manually unlocked all these notifications one after the other.

Another major concern is that some iPhone users will tap "Allow" just to be able to use their device. But doing so would give the hackers behind this attack full access to their Apple accounts, and they would be locked out of them.

While Patel thought the attack was over after he had unlocked dozens of password reset notifications, the hacker behind this campaign had another trick up his sleeve. He received a call claiming to be from Apple Support using the number 1-800-275-2273, the iPhone maker's actual customer support line.

But as a high-value target, Patel was super suspicious when he picked up the phone. He then asked the caller on the other end to verify some information about him, which, to his surprise, he was able to do after "positive input" from the other end. What could not be confirmed, however, was Patel's real name, which clearly indicated that he was talking to a hacker and not an Apple customer support representative.

The attacker likely obtained Patel's information from a people search site, as the name provided was one he had only seen on a site called PeopleDataLabs. For this reason, it is always a good idea to limit the extent to which personal information is available online.

Whether this password reset attack was made possible by a bug in Apple's password reset feature remains to be seen, but it is quite possible; Tom's Guide has contacted Apple, and the company has provided iPhone users with some guidance on protecting themselves from this and similar attacks. Tom's Guide contacted Apple, and the company provided some guidance on how iPhone users can protect themselves from this and similar attacks.

For starters, the iPhone maker has a handy support page with all the information you need to know to deal with phishing and other scams. In this guide, Apple recommends reporting any phishing attempts directly to the company at its [email protected] email address. Similarly, in a statement, a company spokesperson advised users who receive scam phone calls such as those described above to report these events on the FTC's website.

In the unlikely event that you are targeted by this attack, it is most important that you do not tap "Allow" on the password reset notification. While it is annoying and time-consuming to reset them individually, if you don't, you will not be able to use your iPhone, and tapping "Allow" will give the hackers behind this campaign complete control over your Apple account.

If you receive a call from someone claiming to be from Apple Support, do not give them any personal information. Follow Patel's lead and let the person verify your information first. However, it is highly unlikely that Apple Support will call you out of the blue, and if they do, they will not ask you for your password or other personal information over the phone.

We'll know more about this password reset attack once Apple implements a fix, but until then, keep your iPhone nearby and know exactly what you're tapping into when you receive the password reset notification.

.
Source: https://www.tomsguide.com/phones/iphones/iphone-users-under-reset-password-attack-how-to-stay-safe

Categories


Comments

There is no comments

About Us

Do you like technology and are you geek? Then, this is your magazine!

Navigation

Copyright © 2024 TechingToday - F42