MacTalk
April 2024
Beware of Attacks Using Password Reset Request Notifications
At his KrebsOnSecurity site, security journalist Brian Krebs writes:
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
Although all three people covered in the article were sufficiently persistent and savvy to fight off the attacks, it’s easy to imagine someone giving up and approving one of the prompts. Don’t do that, even though it’s unclear how the attackers would retrieve the new password. Also, remember that no company’s tech support representatives will ever call you unless you’ve called them first and requested a callback.
It seems likely that the attackers are exploiting a bug in the online Apple ID password reset process. At a minimum, Apple will have to rate-limit the requests for a password change.
Contents
- New Members
- Newspaper Cartoonists Rely on Digital Tools, but Not as You’d Expect
- How to take a full-page screenshot on iPhone
- Follow These Steps to Clear Space on Your Mac
- Apple’s failed ‘Project Titan’ was a Full Self Driving gamble
- Beware of Attacks Using Password Reset Request Notifications
- Apple Launches Documentation Site for Manuals, Specs, and Downloads
Click for special offers to Mac Users Groups members.
Website design by Blue Heron Web Designs
Click the image for information about advertising on this website.