Beware of Attacks Using Password Reset Request Notifications

At his KrebsOnSecurity site, security journalist Brian Krebs writes:

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Although all three people covered in the article were sufficiently persistent and savvy to fight off the attacks, it’s easy to imagine someone giving up and approving one of the prompts. Don’t do that, even though it’s unclear how the attackers would retrieve the new password. Also, remember that no company’s tech support representatives will ever call you unless you’ve called them first and requested a callback.

It seems likely that the attackers are exploiting a bug in the online Apple ID password reset process. At a minimum, Apple will have to rate-limit the requests for a password change.

Read original article