Beware of Attacks Using Password Reset Request Notifications
At his KrebsOnSecurity site, security journalist Brian Krebs writes:
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
Although all three people covered in the article were sufficiently persistent and savvy to fight off the attacks, it’s easy to imagine someone giving up and approving one of the prompts. Don’t do that, even though it’s unclear how the attackers would retrieve the new password. Also, remember that no company’s tech support representatives will ever call you unless you’ve called them first and requested a callback.
It seems likely that the attackers are exploiting a bug in the online Apple ID password reset process. At a minimum, Apple will have to rate-limit the requests for a password change.
After reading a few followup articles, it appears that receiving a phone call from a scammer pretending to be Apple is part of the scam. After you’ve been convinced that you’re under attack (by the barrage of password reset requests), you then get a call from someone who claims they can solve the problem by activating some super new security feature. But you can’t turn it on yourself - only they can do it and they require your login credentials.
Needless to say, if you do what they say, then you really are doomed.
[EDIT: Thank you Adam for merging this as I missed his original post on the subject. Made edits to avoid some duplicate info.]
I do not know if Apple has issued any fixes for this. I would have presumed they would have thought to set a limit on how frequent “Reset Password” requests can be sent and, if overused, lock out that feature for a designated period. This appears to not be the case.
[…] The trick is if the user accidentally presses the wrong spot, it can allow the attacker to reset the AppleID password and lock out the owner. Additionally, even if the Notifications are denied, some people have received fake calls from “Apple Support” at 1-800-275-2273 but it is in fact NOT Apple calling.
There’s already a TidBITS brief on this attack.
Apologies for the duplicate (didn’t find that in my search). It is worth emphasizing the faked Apple Support calls, however.
Yes. That’s the key to the scam.
Sending password-reset requests alone wouldn’t work. Even if you agreed to them, the attacker would then need access to your e-mail account to complete the reset operation. And if they have that, there are other easier and more lucrative ways to steal your identity.
Or even better for criminals, control of your mobile phone number through SIM-swapping.
For those of you who followed Adam’s link to the Krebs article, be aware it was updated March 27 (5pm ET) to add a “What Can You Do?” section (at end) and some comments about the Watch scenario.
Of specific note is the Watch screen size may require scrolling DOWN to use the “Don’t Allow” option. Additionally, Krebs tested the Apple Recovery Key suggested by Apple Support, but found it “does nothing to stop a password reset prompt from being sent to associated Apple devices.”
Looking at the Watch screenshot reminds me of a common concern I have with touch screen UI design: Critical options squeezed tightly together that may cause unintended activation of features. I would argue that for something so crucial, a 2nd confirmation screen should be required that includes a rephrasing of the action you are about to take.
A tiny bit of inconvenience for something most users rarely need to do is a small price to pay for a little more security.