![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
"MFA Bombing" Attack in active use against iPhone users
This is being thrown against high-value targets: AI startup owners, cryptocurrency fund managers, computer security consultants, etc. The odds of this being targeted against average shlubs is quite low as it requires some resources to be deployed, but that doesn't mean it can't happen. Regardless, it's always good to be aware.
In this case, MFA stands for multi-factor authentication. When you sign on to iCloud on a PC and it sends a six-digit number to your phone to authenticate in your PC browser, that's MFA.
What this attack is doing is flooding the target with dozens and dozens of Reset Password notification messages, exploiting a rate limit flaw. By rate limit, we mean limiting how many messages of a specific type that can be sent within a certain time frame. Normally if you (the account owner) request a password reset, a reasonable rate limit would be a message every 15-30 seconds, not more often than that. You wouldn't allow a flood of messages. These particular crooks have found a way to induce a flood.
The result is the classic Allow/Deny result. Clicking Deny gets you another message. Clicking Allow is not catastrophic, it pops up the MFA number entry screen. Eventually you get a call from "Apple Support" with the correct (spoofed) phone number, and they'll be able to verify pretty much all your information, because they've bought it from a data broker - one of the resources they have to deploy, which is why it's more of a targeted attack than a wide-spread one.
And this is the biggest giveaway - Apple Support will NEVER call you, unless YOU initiate a support call for them to call you back!
The only way to truly block this attack at the moment is to change the phone number, and we all know what a PITA that would be! I suppose you could temporarily buy a burner phone, change the outgoing message on your prime phone to say 'This number is temporarily out of service, if you need to contact me, drop me an email and I'll call you back' and notify your true emergency contacts and employment contacts.
It's believed Apple will be looking at fixing the rate limit that's allowing this bombing attack to take place, but Apple is typically pretty tight-lipped about these things.
The article is an interesting read to see what people are going through right now.
In a way, what this is is a moderately sophisticated social engineering attack with a good amount of resources behind it. And if the victim falls for it and enters the reset code, they've surrendered the keys to their iCloud account to the criminals and potentially can see ALL their devices wiped and reset: phone, watch, iPad, laptops. But not before the information is sucked out of them.
https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/
In this case, MFA stands for multi-factor authentication. When you sign on to iCloud on a PC and it sends a six-digit number to your phone to authenticate in your PC browser, that's MFA.
What this attack is doing is flooding the target with dozens and dozens of Reset Password notification messages, exploiting a rate limit flaw. By rate limit, we mean limiting how many messages of a specific type that can be sent within a certain time frame. Normally if you (the account owner) request a password reset, a reasonable rate limit would be a message every 15-30 seconds, not more often than that. You wouldn't allow a flood of messages. These particular crooks have found a way to induce a flood.
The result is the classic Allow/Deny result. Clicking Deny gets you another message. Clicking Allow is not catastrophic, it pops up the MFA number entry screen. Eventually you get a call from "Apple Support" with the correct (spoofed) phone number, and they'll be able to verify pretty much all your information, because they've bought it from a data broker - one of the resources they have to deploy, which is why it's more of a targeted attack than a wide-spread one.
And this is the biggest giveaway - Apple Support will NEVER call you, unless YOU initiate a support call for them to call you back!
The only way to truly block this attack at the moment is to change the phone number, and we all know what a PITA that would be! I suppose you could temporarily buy a burner phone, change the outgoing message on your prime phone to say 'This number is temporarily out of service, if you need to contact me, drop me an email and I'll call you back' and notify your true emergency contacts and employment contacts.
It's believed Apple will be looking at fixing the rate limit that's allowing this bombing attack to take place, but Apple is typically pretty tight-lipped about these things.
The article is an interesting read to see what people are going through right now.
In a way, what this is is a moderately sophisticated social engineering attack with a good amount of resources behind it. And if the victim falls for it and enters the reset code, they've surrendered the keys to their iCloud account to the criminals and potentially can see ALL their devices wiped and reset: phone, watch, iPad, laptops. But not before the information is sucked out of them.
https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/
no subject
Yeah, it's a case where most people can fairly easily reconstruct. I have good backups (which I need to refresh) and don't store photos in iCloud, but I have a lot of data up there in Notes that is pretty important to me that would be a pain if it were to be lost.