Some Apple customers caught up in elaborate phishing attacks

This week, Apple customers are reporting being caught in elaborate phishing attacks, including prompting users to reset their Apple ID passwords and rendering the device unusable until the user selects “Allow” or “Don’t Allow.”

What’s more, after rejecting the password reset prompts, threat actors have started calling the victims, spoofing Apple Support in the caller ID and even the authentic Apple customer support phone number. Following are comments about the situation from Michael Covington, vice president of Portfolio Strategy at Apple security company, Jamf, who shares his guidance for users to avoid falling victim to these persistent threats: MFA bombing presents a challenge to any targeted user, as they are forced to sift through a deluge of notifications with the fear of being victimized further if just one mistake is made.

What they don’t realize, however, is that this attack is typically preceded by a successful compromise of the user’s credentials, thus allowing a hacker to initiate the sign-in process.

Once the MFA bombing sequence begins, users must be vigilant to safeguard the second factor, often a PIN code, that is required to complete the account access or password reset. In the case of the Apple users that were targeted, threat actors have been reported to spoof the authentic Apple customer support phone number to dupe the user in creating a false sense of trust.

With the uptick in MFA bombing targeting distracted mobile users, we recommend two things: 1. Always keep your software updated. Devices that are running older software are popular targets as they often contain known vulnerabilities that can be easily exploited by attackers. 2. When possible, always initiate the call to customer support yourself. If you must receive the call, utilize verification questions to confirm you are speaking with a legitimate agent of the service in question.

Just as users are asked to answer verification questions to recover forgotten passwords, anyone attempting to gain access to your account should go through a similarly rigorous process to ensure they are authorized to do so.”