If you own an iPhone or an iPad, you should be on the lookout for a cunning attack that targets Apple users by weaponizing the “Reset Password” notification.
On March 23, entrepreneur Parth Patel took to Twitter to share his experience of being targeted by this novel phishing attack. One night, all of Patel’s Apple devices started receiving a torrent of “Reset Password” notifications. These are system-level alerts, so he had to clear all of the 100+ notifications individually in order to use his iPhone or iPad again.
15 minutes later, Patel received a phone call from someone spoofing the official Apple Support number. He answered their call and asked them to validate some personal information to prove they were real. Shockingly, they were able to answer most of his questions correctly, including his date of birth, email address, phone number, and home address.
Eventually, the callers gave themselves away when they called Patel “Anthony,” at which point he realized that they were likely pulling data from a company called People Data Labs. Near the end of the call, they asked Patel to share a one-time password he’d received via text. Below the code from Apple, it says the following: “Don’t share it with anyone.” If he told them, or hit “Allow” on any of the notifications, the attackers could have stolen his account.
Patel isn’t alone, either. A cryptocurrency hedge fund owner named Chris told KrebsOnSecurity about a similar phishing attempt he experienced in late February.
“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris told the site. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”
These notifications persisted for days until the attackers eventually called, claiming to be from Apple’s support team. He hung up, called the support number back, and was told by Apple that it doesn’t initiate outbound calls to customers unless they specifically ask.
At that point, he changed his passwords, bought a new iPhone, and created a new iCloud account with a new email address. But the notifications didn’t stop. He even received a flood of “Reset Password” alerts while sitting at an Apple Genius Bar. At this point, Chris was all but certain that the attackers were using his phone number, as everything else had been changed.
This is clearly an incredibly sophisticated phishing attack, but the fact that Apple allows an infinite number of notifications to be sent to its devices is troubling. Hackers and bad actors are always going to find new ways to scam us, but Apple needs to ensure it isn’t providing them with useful tools to scare customers into handing over their private data.