What happens during an attack
- What happens is that target devices are forced to show dozens of system level prompts (basically MFA warnings sent by Apple’s Forgot Password feature) that stop the target device from working until a user chooses Allow or Don’t Allow on those prompts.
- Once the target disallows all those requests, they will receive a phone call from a number that looks like Apple Support and will be warned the user is under attack and must verify a one-time code.
- The aim of the attack is to trigger an Apple ID reset code to be sent to the target device, and to then get the user to share that code over the phone.
- If you ever receive such a code, you’ll see that alongside it you will be sent a warning not to share that code with anyone else.
- But this is why attackers work so hard to seem convincing, because if a target hands the code over, the attacker will immediately take over the user’s Apple ID and lock the user out.
- They then gain access to all your Apple ID protected data and services and can remotely wipe all your Apple devices.
These are sophisticated attacks
Critical to understanding the nature of this attack is knowing that if you are targeted by it, you have probably already been selected as an attack target. These are relatively organized attempts, and whoever is behind an attack will already have researched for some details about the victim.
That’s because they need to have the email address and phone number associated with your Apple ID. Those details may come from data brokers and people search websites, such as PeopleDataLabs, KrebsOnSecurity suggested earlier this week.
The attackers need to have sourced information about the target to come across as genuine in the all-important phone call during which they con the target into sharing the reset code. In other words, these are highly tactical, planned attacks in which hackers have assembled large quantities of personal data.
Michael Covington, VP of Portfolio Strategy at Jamf puts it this way: “MFA bombing presents a challenge to any targeted user, as they are forced to sift through a deluge of notifications with the fear of being victimized further if just one mistake is made.
“What they don’t realize, however, is that this attack is typically preceded by a successful compromise of the user’s credentials, thus allowing a hacker to initiate the sign-in process.”
Jamf recently warned that many Apple-using businesses are still soft targets for such attemps.