Apple users report new 'password reset' phishing scam
Apple users around the world have recently highlighted a new phishing scam that reportedly exploits a vulnerability in Apple's 'password reset' feature. This scam aims to manipulate unsuspecting users into approving unauthorised password changes, ultimately granting control of their Apple ID accounts, according to a report by Krebs on Security, a US-based cybersecurity blog.
As per Krebs on Security and firsthand experiences from affected users, the phishing scam consists of a multi-pronged approach to deceive individuals. It begins with a bombardment of 'password reset' prompts, asking the user to use that iPhone or Apple device to reset their Apple ID password. These prompts make Apple devices such as iPhones, Apple Watches, and Mac computers virtually unusable until they are manually dismissed.
This 'password reset' phishing scam was first documented by Parth Patel, a user on X, who made a thread detailing how this attack affected him. He said that the attack began when all of his Apple devices started blowing up with notifications all of a sudden. "I had to go through and decline like 100+ notifications," said Patel in an interview with Krebs on Security. He added that the notifications looked similar to typical Apple system notifications, but he was unable to do anything else with his phone unless the notifications were resolved.
A report by MacRumors, a platform dedicated to Apple product news, states that through this potential flaw in Apple's password reset functionality, attackers are able to trigger repeated password change approval requests. In instances where victims resist the incessant prompts, attackers resort to social engineering tactics to further manipulate them.
In this particular phishing tactic, targets can also receive phone calls spoofing Apple Support's caller ID, falsely claiming that their accounts are under attack. On these calls, the attacker attempts to get the one-time password from the victim - the same code that is sent to the user's phone when attempting a password change, states the MacRumors report.
Despite multiple user reports on this scam so far, the exact method of bypassing the rate limits of the system alerts remains unclear. At the time of writing, Apple has not publicly disclosed the potential security flaw or addressed the phishing attempts reported by users.
In case you are under attack by this phishing scam, make sure to repeatedly tap 'Don't Allow' on all password change requests. Furthermore, exercise caution when receiving calls claiming to be from Apple Support.
Comments