The Scary New iPhone Scam You NEED to Know About
Summary
TLDRA new phishing attack targeting Apple users is on the rise, known as multiactor bombing, which overwhelms victims with legitimate-looking Apple notifications. Scammers may also spoof Apple Support calls, tricking users into revealing security codes. To protect oneself, users should remove personal information from people search websites, consider using email aliases, and be aware that Apple Support will rarely initiate contact unless requested by the user.
Takeaways
- π¨ A new phishing attack is targeting Apple users, exploiting a bug to hijack accounts.
- π The attack, known as multiactor bombing, overwhelms users with legitimate-looking Apple authentication requests.
- π Scammers use spoofed caller IDs displaying Apple's real customer support number to trick users into revealing security codes.
- π Victims report continuous attacks even after changing devices, email addresses, and iCloud accounts.
- π Apple has acknowledged the issue and states that enabling a security key can help, but it is not a foolproof solution.
- π Security researcher Matt Johansson suggests the attackers are bypassing rate limits on Apple's 'forgot password' page.
- π οΈ Users can protect themselves by removing personal information from people search websites and using email aliases for their Apple accounts.
- π± Changing the phone number associated with an Apple ID to a VoIP number can deter scammers, though it may disable iMessage and FaceTime.
- π§ Consider using a unique email address for Apple services to avoid being affected by database leaks.
- βοΈ Apple support will rarely initiate contact unless requested by the user; any unsolicited communication should be treated with suspicion.
- π’ Sharing information about these attacks can help others, especially those who may be less informed about online security.
Q & A
What is the new phishing attack targeting Apple devices?
-The new phishing attack is called a multiactor bombing attack. It aims to overwhelm the target with numerous authentication requests, causing them to mistakenly accept one, leading to potential account hijacking.
How do the scammers initiate contact with their targets?
-Scammers use a spoofed caller ID displaying Apple's real customer support phone number, calling the target and claiming that their account is under attack. They request a one-time code for verification, which if given, allows them to reset the password and lock the victim out.
What is the significance of the legitimate Apple alerts during the attack?
-The legitimate Apple alerts are part of the attack, sent in large numbers to pressure the target into action. These alerts are system-level notifications from Apple, which the scammers exploit to create a sense of urgency and confusion.
Victims have reported being overwhelmed by the number of notifications, sometimes over a hundred, and feeling compelled to interact with them. Some have tried to secure their accounts by changing devices or contact Apple support directly.
-One victim reported that even after taking extensive measures like getting a new iPhone, changing their email, and creating a new iCloud account, the attack persisted. Another received password reset requests even after enabling a recovery key for their Apple ID.
What is Apple's official stance on outbound calls to customers?
-Apple has stated that it will never initiate outbound calls to customers unless the customer has specifically requested to be contacted. This means any incoming call claiming to be from Apple support should be treated with suspicion.
How do the attackers bypass the rate limit on the 'Forgot Apple ID password' page?
-Attackers appear to have found a way to bypass the rate limit on the 'Forgot Apple ID password' page, which normally has a captcha to prevent mass requests. They use this vulnerability to trigger the notification attack by inputting the target's email or phone number associated with an iCloud account.
What precautions can Apple users take to protect themselves from such phishing attacks?
-Users can protect themselves by removing their information from people search websites, using email aliases, changing their account's phone number to a VoIP number, and being cautious aboutζ₯ε¬ calls or responding to messages from numbers claiming to be Apple support.
Why is it recommended to use a unique email address for Apple ID?
-Using a unique email address for Apple ID reduces the risk of it being included in any database leaks, thus minimizing the chances of being targeted by phishing attacks.
How can one verify the legitimacy of an Apple support call?
-If you receive a call claiming to be from Apple support, do not engage immediately. Instead, look up the official Apple support number and call them back to verify the legitimacy of the call.
What should you do if you suspect an Apple phishing attack?
-If you suspect an attack, deny any requests for personal information or one-time codes. Do not answer or engage with the call or message, and report the incident to Apple or the relevant authorities.
Who is most at risk from this multiactor bombing phishing attack?
-Public figures, especially those involved with cryptocurrency or hedge funds, are most at risk due to their high-profile status and the potential financial gains for attackers. However, any individual with easily accessible information or compromised passwords is potentially vulnerable.
Outlines
π¨ Apple Device Security Warning π¨
This paragraph discusses a new phishing attack targeting Apple device users, exploiting a bug on Apple's end. The attack, known as multiactor bombing, overwhelms users with authentication requests, leading them to accept one under duress or to cease the notifications. Scammers use a spoofed caller ID displaying Apple Support's real number, tricking users into revealing a one-time code, which allows them to reset passwords, lock users out, and wipe devices. The paragraph shares real-life experiences of victims and emphasizes that these alerts are legitimate Apple system-level notifications, making the scam particularly deceptive.
π‘οΈ Protecting Yourself from Phishing Attacks π‘οΈ
The paragraph offers strategies for Apple users to protect themselves from phishing attacks. It advises removing personal information from people search websites to enhance privacy and prevent attackers from gathering data. It also suggests using email aliases and changing the phone number associated with the Apple ID to a VoIP number to reduce the risk of successful phishing attempts. The speaker shares personal experience recommending the use of a unique email for the Apple ID and emphasizes that Apple Support will rarely initiate contact unless requested by the user. The advice to verify the legitimacy of any supposed Apple support communication is highlighted, concluding with a call to action to share this information and sign up for the speaker's newsletter for further details.
Mindmap
Keywords
π‘phishing attack
π‘multiactor bombing attack
π‘Apple ID
π‘spoofed caller ID
π‘one-time code
π‘security researcher
π‘rate limit
π‘VoIP number
π‘email alias
π‘online security
π‘public figures
Highlights
A new phishing attack is targeting Apple users, exploiting a bug on Apple's end.
The attack, known as multiactor bombing, overwhelms the target with numerous authentication requests.
Scammers use a spoofed caller ID displaying Apple's real customer support number to trick users.
Victims are coerced into sharing a one-time code, allowing attackers to reset passwords and lock users out of their accounts.
A user reported being targeted even after changing their iPhone, email, and iCloud account.
Despite using Apple's security key for recovery, users are still vulnerable to this advanced phishing technique.
Cryptocurrency hedge fund owners are particularly at risk due to the value of their assets.
Attackers use the 'forgot Apple ID password' page to trigger the notification attack, bypassing rate limits.
The vulnerability lies in the ability to send alerts without being detected through mass request attempts.
Users are advised to remove personal information from people search websites to protect themselves.
Apple's password reset system accepts email aliases, allowing users to create unique addresses tied to one account.
Changing the account phone number to a VoIP number can offer additional protection, though with some service limitations.
Using a unique email address for Apple services can prevent inclusion in database leaks.
Apple support will rarely initiate outbound calls unless specifically requested by the customer.
Users should verify the legitimacy of calls claiming to be from Apple support by looking up the official number and calling back.
This phishing attack is particularly dangerous and evolving, affecting a broad range of potential targets.
Public figures involved in cryptocurrency are especially at risk due to the high value of their accounts.
Anyone with freely available information on people search websites or included in a database leak could be targeted.
Online security is crucial for everyone, and this phishing attack serves as a reminder to take precautions seriously.
Transcripts
this is a warning to anybody with an
Apple device because there is a new
fishing attack that is running rampant
right now that is hijacking Apple
accounts left and right and it's all
done via a bug on Apple's end so let's
discuss what this bug is how it actually
works and what you can do to protect
yourself so first off what exactly is
happening here and how is this any
different from all the previous fishing
attacks we've seen in the past that
Target Apple users so first off this
attack is known as a multiactor bombing
attack the idea is to overwhelm the
target with so many authentication
requests that they eventually accept one
mistakenly or because they want the
notifications to stop and the tricky
part about this is that when you're
under attack these alerts that you're
getting these popups that you're getting
are legitimate alerts from Apple and
like I said so far this is not new we've
seen this before however this has
evolved and we just started learning
about how this has evolved because of
this when you're under attack the
scammers are going to call you you with
a spoofed caller ID that shows Apple
support and it'll show Apple's real
customer support phone number and
they're going to say that your account
is under attack and that Apple support
needs to verify the one-time code that
you were sent and if you were to give
them this code the attackers can then
reset the password on your account and
lock you out and they can also remotely
wipe all of your Apple devices there's a
user on X who recently reported his
encounter with this attack saying this
because these are app Apple system level
alerts they prevent me from using my
phone watch or laptop until I clicked
don't allow on 100 plus notifications
and then when that fake Apple support
number called him he said that he was
obviously still on guard so he asked
them to validate a ton of personal
information and they got a lot right
including the date of birth email phone
number and current and previous
addresses in another instance an
individual reported that the push
notifications were continuing even after
he swapped his old iPhone for a new
iPhone changed his email address and
created a brand new iCloud account he
was still under attack even after going
through all that and yet another victim
received the password reset requests
even after enabling a recovery key for
their apple at the request of an Apple
support engineer and Apple has come out
and said that you know enabling this
security key is going to help you keep
your device secure but as we can see
from this new and improved fishing
attack even that is not going to stop
these people and then last Chris who is
a cryptocurrency hedge fund owner
experienced a similar fishing attack in
late February he said that the First
Alert I got I hit don't allow but then
right after that I got like 30 more
notifications in a row Chris says the
attackers persisted hitting his devices
with the reset notifications for several
days after that and at one point he
received a call on his iPhone that said
it was from Apple support but
fortunately he did the correct thing
here by hanging up and calling back
Apple supports himself and when he
called the the real Apple they couldn't
say whether or not anybody had been in a
support call with him I guess that's
their security measure but he said that
Apple States very clearly that it will
never initiate outbound calls to
customers unless the customer requests
to be contacted Okay so we've heard
multiple reports now of this happening
we know it's running rampid right now
and it's really just starting here in
2024 from what we've seen so what is
actually going on here how is this even
happening so according to Krabs on
security attackers appear to be using
the forgot Apple ID password page to Tri
trigger the notification attack and this
page requires either your Apple ID email
or the phone number associated with your
Apple ID account and when you put in an
email address the page shows the last
two digits of the phone number that's
associated with that Apple ID and when
you fill in the missing digits and hit
submit the alerts get sent but the odd
thing here is that this page has a
capture to prevent any type of mass
requests but that's what the
vulnerability seems to be here because
it looks like these people have somehow
found a way to bypass the capture rate
limit according to security researcher
Matt Johansson and previous MFA bombing
the attacker would have compromised the
user's password either via fishing or
data leak and then used it many times
until the user confirmed the MFA push
notification but in this attack all the
hacker has is the user's phone number or
email address that's associated with an
iCloud account and they're taking
advantage of the forgot password flow
prompting on the user's Trust usted
device to allow the password reset to go
through and then when they get the call
from the legitimate Apple number and the
person on the phone is saying they're
here to help they're here to you know
erase all those notifications off your
device they just need that onetime code
a lot of users are probably going to
hand that over because again they're
overwhelmed they just want it to end and
it showed a verified Apple support
number calling so this security
researcher says I'm guessing this is a
very high success rate tactic so as you
can tell this fishing attack just
continues to evolve and this is just the
latest iteration of this so now with all
that being said now that you know how it
works and now that you know you know
stories of people who this has happened
to how can you protect yourself so that
you are not a victim well the number one
thing is that these attackers appear to
be scraping people search websites for
information such as your name your
address your phone number and all of
that so the first step to protecting
yourself is to remove your information
from these websites now there's a site
I'm going to link down in the
description below that shows you how to
go in and manually opt out of all of
these different people search websites
that's something you should do just for
your own privacy Even This fishing
attack aside that's something you need
to do just for your own privacy being on
the internet in general now another
thing you can do is something that Krebs
pointed out and he says that Apple's
password reset system will also accept
email aliases so if you add a plus
character after the username portion of
your email address it will let you
create an infinite number of unique
email addresses tied to the same account
and they also suggested that you can
change the phone number associated with
your account to a VoIP number such as
one from Skype or Google Voice however
this is going to disable iMessage and
FaceTime so if you're okay with having
those disabled you know especially if
you're a public figure anything related
to crypto or anything like that where
you're a major major Target that could
be worth it and something else that I've
learned just from personal experience is
to use an email address that you do not
use anywhere else online use that as
your Apple
email address that way there's no way
it's going to be included in any type of
database leak or anything like that so
that's another one a big one that I
would recommend and then lastly just
know that Apple support will almost
never call you unless you reached out to
them and told them that you want them to
contact you if you get a phone call or a
text message or anything that claims
it's from Apple support and you did not
request that just deny it it is not
apple and if you suspect that it might
be legitimate just don't answer for the
time being and then just Google what the
Apple support phone number is and call
that number yourself so I just wanted to
get on here today and inform you of the
new multiactor bombing attack that's
going on right now for iPhone users and
really anybody with an Apple ID account
you are potentially at risk with this
now like I said like I alluded to
earlier those who are public figures
obviously are going to be the ones most
at risk especially if you're involved
with any type of crypto or hedge fund or
anything like that you always have the
biggest Target on your back but
realistically this could Target anybody
who has their information just freely
out there on people search websites or
when their passwords were included in a
database leak you just need to take your
online security seriously because this
could really impact anybody so I hope
you found this video helpful if you did
I would appreciate if you gave it a
thumbs up also be sure to share this
video around to your friends especially
those who might be a bit older and don't
really understand security and just
keeping your yourself secure online this
video could help them also make sure to
sign up to my newsletter that is linked
down in the description below I will be
doing a written format of this video in
that newsletter that goes out tomorrow
but anyways guys thanks for watching and
I'll see you soon
5.0 / 5 (0 votes)