(Credit: Parth Patel/Twitter user @parth220_)
If you suddenly receive dozens of password-reset notifications on your iPhone, watch out: You’re probably facing a devious phishing attack targeting Apple users.
The malicious tactic is intended to to trick iPhone users into handing over access to their Apple accounts, according to security journalist Brian Krebs.
One of the targeted users, tech entrepreneur Parth Patel, documented his experience on Twitter, saying his Apple devices suddenly received a stream of password-reset notifications one night last week. “Because these are Apple system level alerts, they prevent me from using my phone, watch, or laptop until I clicked “Don’t Allow” to 100+ notifications,” he wrote.
This Tweet is currently unavailable. It might be loading or has been removed.
The flood of notifications appear to have come from a hacker out to steal access to Patel's account. According to Krebs, Patel was careful to tap “Don’t allow,” rather than “Allow” on each notification. But even if he had, it wouldn’t have been enough for the hacker to gain access. Instead, clicking the “Allow” button would have caused Apple to merely send a one-time code to his device necessary to reset the password on his account.
To steal the one-time code, Patel said the hacker later called his phone number, while pretending to be a member of Apple support. Patel noted the phone call spoofed Apple’s official support line number at 1-800-275-2273. “They really emphasized this detail to win trust from the victim,” he wrote. “I was obviously still on guard, so I asked them to validate a ton of information about me, before answering any of their questions.”
The hacker did indeed know his date of birth, email address, and physical address. However, the culprit mistakenly thought his first name was “Anthony S.” This made Patel realize that the hacker had uncovered his information online through People Data Labs, a person-searching site, which had wrongly indexed some of his details.
This Tweet is currently unavailable. It might be loading or has been removed.
“Other founder friends of mine have also been targeted by this attack,” Patel added. “Fortunately neither of them fell victim [to] it.”
The news is raising worries that the hackers may be abusing a software bug in Apple’s password-reset function to bombard users with notifications. To reset a password, Apple’s site requires the user to type in their email address and phone number. They also need to pass a CAPTCHA test. But it looks like the hackers found a way to quickly bypass the checks, enabling them to spam a target with dozens of notifications when really only one is needed.
Krebs adds that one victim continues to receive streams of unauthorized Apple password-reset notifications, despite calling the company to help him stop them.
In an email to PCMag, Apple didn't address the concerns about a bug affecting its password reset function. But the company pointed us to a support article about fending off phishing threats, which noted: "If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up."
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
