iPhone Users Are Being Targeted by MFA Bombs, Here’s What We Know

April 22, 2024

One of the outstanding benefits of owning an iPhone is the peace of mind that comes with unparalleled mobile security, a statement backed up by industry experts. But in recent times, iPhone users have found themselves the targets of threat actors who have, ironically, warped security features in efforts to hack devices. Multifactor Authentication (MFA) is a feature that ensures would-be threat actors cannot access accounts without having the physical device linked to an account. The multiple factors are usually login details, some form of account-linked action such as an OTP sent to the registered mobile number or in-app verification, and then a device-linked authenticator like FaceID, a fingerprint, or a device passcode. In a new wave of attacks, iPhone users are being bombarded with push notifications asking them to reset their passwords. It’s a crude mechanism, mainly relying on fatigue and irritation. 

Let’s take a look at MFA Bombing and what you can do if you’re ever the target of a similar hacking technique.

What Is Going On?

First reported by the security website Krebs on Security, several Apple customers have come forward with similar accounts of how their phone’s security features had been turned against them. In what appears to be a relatively sophisticated, coordinated effort, threat actors have weaponized a bug in the password reset feature. Once hacked, targeted users will receive multiple device notifications prompting them to choose between the options “Allow” or “Don’t Allow”. While these prompts are streaming in, the device cannot be used. 

This onslaught of prompts is referred to as MFA Bombs. One of the reasons this is considered a high-level attack is because the prompts are legitimate notification alerts generated by attempts to gain access to an associated iCloud account. 

According to the report compiled by Krebs on Security, this threat campaign seemingly targeted users who fit a specific profile; business and tech executives. Multiple victims came forward, detailing their experiences, which followed similar patterns. They were bombarded with MFA notifications to the point where their devices were unusable, and when none of them caved and followed the “Allow” prompts, they received a call from “Apple Support”. The hackers are able to make calls that seem to originate from Apple’s actual customer support number, lending further legitimacy to the con.

What the Krebs on Security report hasn’t been able to uncover is the end goal of the scammers. Senior business and tech leaders are usually extra careful to avoid the trappings of threat actors. While many were frustrated by the hundreds of prompts they had to clear, none fell prey to their irritation, and many became more suspicious once the Apple Support call came through. 

Hackers, who use brute force methods like MFA bombs, rely on people’s gullibility in thinking that following the “Allow” prompt would disable the notifications. If that doesn’t work, they use the vishing (voice-phishing) call to lull users into a false sense of security. Had they been successful in this, they would send the user a password reset code which would allow them to commandeer your iCloud account and change your password, locking you out. 

Phishing Attacks are Increasing 

Cyber and mobile security is only increasing as the years go by. We rely on our laptops and mobile devices for just about everything, so it stands to reason that threat actors have much to gain by accessing sensitive account information. According to MSSP Alert, a research and analysis channel for managed security service providers, mobile phishing attacks are higher than ever. 

With more people relying on their mobile devices for work, it’s an easy alternative to hacking into secure businesses, which usually have robust security services. They recorded an outstanding 50% of people were exposed to mobile hackers in 2022 across hard and software manufacturers; in short, hackers don’t discriminate. 

When looking back at the profiles of iPhone users targeted in the MFA bombs, they were all business and tech executives, which suggests that their accounts were valuable to hackers in terms of the organizations they represent. While the full extent of the MFA bombing campaign remains unknown, sources informed Krebs on Security that notifications weren’t exclusive to iPhones, as some had them pop up on Apple Watches and Macs. To add to the frustration, targeted users are currently at the mercy of hackers, as there isn’t a viable solution to end this. 

MFA Fatigue — A Crude Problem 

MFA fatigue is a crude but, unfortunately, effective hacking technique. It also is a strong indication that at least some of your data have already been compromised, and while this particular campaign exploits weaknesses in Apple’s password reset features, it also proves that MFA is still an important security mechanism. 

The stolen credentials are typically sourced by either hacking accounts, buying credential information from other hackers, credential stuffing, or any additional means in the vast arsenal of threat actors. Because security has evolved and most accounts require multifactor authentication, hackers have evolved too. 

MFA fatigue occurs when threat actors bombard mobile users with continuous push notifications to get them to accept a request. Usually, users will succumb to the hackers by acquiescing to the requests, either in hopes of stopping the attacks or because they believe the notifications come from a legitimate source. Hackers use automation to launch hundreds of attempts at breaking into accounts, which generates hundreds of notifications in a short period of time. With AI, creating realistic prompts and scripts is easy, asking people if they’d like to “Approve sign in?” 

With the option to either Approve or Deny, users on the receiving end can easily become frustrated or accidentally approve a request. If this doesn’t work, this is where vishing comes into play, where scammers call a recipient and pretend to be customer support from the company. 

What Can You Do If This Happens To You?

Apple users, and certainly all mobile users, are encouraged to stay vigilant. A telltale sign of MFA bombing attacks is an onslaught of notifications, particularly when you haven’t tried to log in to any apps or accounts. While users may be tempted to simply “make it stop” by selecting the Allow/Approve option, they are cautioned not to. 

The second stage of these attacks is a fake call from the attackers. Keep in mind that they might disguise the call by using the real customer support number, but again, users are cautioned not to answer. Apple users, particularly, should keep in mind that Apple never initiates customer calls and are urged not to be duped into a false sense of security if they recognize the support number (1-800-275-2273). 

Conclusion

While Apple users may have the comfort of knowing their devices are considered the safest in the world, that doesn’t mean users can be lax about security. Constant vigilance is imperative to avoid falling prey to threat actors as they evolve and develop more sophisticated scams to lure unsuspecting mobile users. 

MFA bombing relies on frustration, impatience, and irritation; all valid emotions you experience when you need to use your phone and are instead forced to clear hundreds of prompts pouring in. The added advantage for a hacker is that not only are these a source of frustration, but the average hacker might choose to follow the prompt because it is a genuine notification from Apple itself. 

It’s also important to remember the golden rule of Apple Support: they don’t initiate outbound calls (unless you requested it). Being able to disguise their number as the genuine customer support line is indicative of a high-level scam; giving these people any form of access to your iCloud account could leave a disaster in its wake. 

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later