"MFA Bombing" Attack in active use against iPhone users

[thewayne]

This is being thrown against high-value targets: AI startup owners, cryptocurrency fund managers, computer security consultants, etc. The odds of this being targeted against average shlubs is quite low as it requires some resources to be deployed, but that doesn't mean it can't happen. Regardless, it's always good to be aware.

In this case, MFA stands for multi-factor authentication. When you sign on to iCloud on a PC and it sends a six-digit number to your phone to authenticate in your PC browser, that's MFA.

What this attack is doing is flooding the target with dozens and dozens of Reset Password notification messages, exploiting a rate limit flaw. By rate limit, we mean limiting how many messages of a specific type that can be sent within a certain time frame. Normally if you (the account owner) request a password reset, a reasonable rate limit would be a message every 15-30 seconds, not more often than that. You wouldn't allow a flood of messages. These particular crooks have found a way to induce a flood.

The result is the classic Allow/Deny result. Clicking Deny gets you another message. Clicking Allow is not catastrophic, it pops up the MFA number entry screen. Eventually you get a call from "Apple Support" with the correct (spoofed) phone number, and they'll be able to verify pretty much all your information, because they've bought it from a data broker - one of the resources they have to deploy, which is why it's more of a targeted attack than a wide-spread one.

And this is the biggest giveaway - Apple Support will NEVER call you, unless YOU initiate a support call for them to call you back!

The only way to truly block this attack at the moment is to change the phone number, and we all know what a PITA that would be! I suppose you could temporarily buy a burner phone, change the outgoing message on your prime phone to say 'This number is temporarily out of service, if you need to contact me, drop me an email and I'll call you back' and notify your true emergency contacts and employment contacts.

It's believed Apple will be looking at fixing the rate limit that's allowing this bombing attack to take place, but Apple is typically pretty tight-lipped about these things.

The article is an interesting read to see what people are going through right now.

In a way, what this is is a moderately sophisticated social engineering attack with a good amount of resources behind it. And if the victim falls for it and enters the reset code, they've surrendered the keys to their iCloud account to the criminals and potentially can see ALL their devices wiped and reset: phone, watch, iPad, laptops. But not before the information is sucked out of them.

https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/

Comments

[elf]

I first thought, "I am not a target" (I have basically nothing), but that doesn't mean I couldn't be hit by accident. Went over my options.

...Oh right, iCloud has been asking me to re-verify something for the last week or so, since the last update of the TOS or something like that, and I haven't bothered, because I don't care about iCloud. Because I have exactly one active Apple device, and I don't take pictures. (I used to also have a tablet. I could, theoretically, still use my ancient iPad. Still wouldn't care about iCloud; I didn't transfer stuff between the two.)

I may hold off on verifying iCloud until this has been addressed.

If I lost all the data in my iphone, I would... have to scrounge to find a dozen people's phone numbers, and be very unhappy that my gaming progress on a few games was wiped out.

[thewayne]

Yeah, it's a case where most people can fairly easily reconstruct.  I have good backups (which I need to refresh) and don't store photos in iCloud, but I have a lot of data up there in Notes that is pretty important to me that would be a pain if it were to be lost.

[elayna]

I was going to say I'm glad I never use iCloud, but I do have a few things in Notes, which I hadn't realized was iCloud. Looking now and they are all excruciatingly old, I'll look through and delete. And then I shall ignore any messages about my iCloud.

[disneydream06]

I'm glad I don't have an i anything, :o
Hugs, Jon

[kathmandu]

Yeech. Thank you for the warning.

[thewayne]

YW.  A vast majority of people won't be affected, but it's a good idea to be forewarned.

[silveradept]

It is a moderately sophisticated social engineering attack, but there's probably something about this that so many people who these thieves and phishers want to target are using iProducts that can be affected by this. I wonder if there's some kind of assumption that the good targets are the ones with the needlessly expensive trendy devices.

[thewayne]

Some people buy them and keep up with the latest and greatest as a status symbol, there's a variety of reasons why they might.  People like these may also have been photographed on an iPhone or a message leaked that indicated what platform they're on.  Android has plenty of security vulnerabilities as we all know, it doesn't really matter what you use - people will find a way to break it.  My wife and I use Apple devices because the observatory's infrastructure is Linux and Apple is very nicely compatible with it, I've been using the iPhone since the 4 because the Apple systems integrate so nicely together and I just am sick and tired of Windows.  To each their own: I tried Android devices and the OS drove me nuts.

[silveradept]

I don't like Apple's approach, but I wouldn't say everyone has to switch. I can see using Apple products or Android products because you like them and they play well with your situation. And yes, we know there's still lots of security everything that has to be handled with Android phones as well. I'm just not seeing as much advertising of even the Samsung flagships as "this is a device that will increase your social clout by owning it and displaying it conspicuously." And while all phone prices are inflated greatly to try and get you to pay them off in installments, iPhones almost always seem to be extremely pricey.