There have been recent reports of Apple devices being hit with MFA bombing attacks, followed by social engineering attempts. Read on to learn more about what this is, what it means for you, your business or your customers and how you can all stay protected.
What is MFA bombing?
MFA bombing, or Multi-Factor Authentication bombing, is a type of cyber attack in which an attacker repeatedly sends MFA requests to a victim's device in an attempt to overwhelm or annoy them. This tactic is usually employed to bypass security measures protecting an account or system.
Reports of attacks on Apple devices:
Concerningly, there have been recent reports about an MFA bombing attack on Apple devices. A user on Twitter shared a screenshot of his Apple device, which had been flooded with legitimate password reset notifications from Apple. The user then reported that they received a phone call that looked to be from Apple's official support line. The user noted that the caller asked for a lot of personal details as well as the Apple ID code sent via SMS, which clearly states ‘Do not share with anyone’.
Another target of the attack highlighted that they had been receiving the reset notifications for several days and had also received the fraudulent follow-up call.
Why has this happened, and what’s the aim of the attack?
It’s very easy for hackers to obtain email addresses and phone numbers that could enable them to trigger a password reset and conduct a fraudulent call. This data can often be compromised as part of data breaches or simply scraped from websites such as social media.
All a hacker then has to do is go to the ‘login’ and click ‘forgot password’, insert the stolen email, and spam the victim with password reset triggers. Often, hackers also have tools and automation in place to enable them to complete large volumes of these requests at once. Once the requests are sent, they can use the phone number to deploy a follow-up call, posing as an Apple worker.
The aim is to gain full access to the user's Apple account, which could, in turn, cause a multitude of problems. A hacker could gain access to social media accounts, banking accounts, and even work-related applications on the user's phone, which could lead to losses, ransoms, blackmail, reputational damage, and more.
How can individuals stay protected?
Education and awareness are at the forefront of protection from this threat, as verifying the communications as illegitimate in this instance would prevent the hacker from gaining entry.
Here are a few steps to keep in mind:
- Initial assessment: Individuals should ask questions to assess the request: ‘Does this seem legitimate? ‘Have I done anything that would trigger this alert?’, ‘Would I expect this person or business to send such a request?’
- Verification: Verify the request before sharing information. Call a business's official helpline and get the number off its main website. Call a colleague or manager to verify a request received from someone internally. Call a family member or friend if they ask you to share details. Always verify before engaging.
- Protective measures: Individuals should ensure that they have strong measures in place, including anti-virus and anti-malware software and the use of strong passwords.
- Ongoing education and monitoring: Customers should ensure that they regularly check their digital assets and data records for cyber risks. Using a tool such as Cyber Xpert can help alert users of data breaches, enabling them to update accounts accordingly.
You can find out more about how our solutions provide consumers and businesses with protection from cyber threats, empowering them to reduce their risk level with ease. Head to our product pages for more information and our solutions pages to find out how we help different clients.