[ad_1]
kevin purdy
Human weaknesses make them easy targets for phishing attacks. Having a human repeatedly click “Don’t allow” on an unskippable phone prompt is an angle some iCloud attackers have taken with potentially some success.
Brian Krebs of Krebs on Security detailed the attack in a recent post, noting that “MFA fatigue attacks” are a known attack strategy. This attack involves bombarding a potential victim’s device with repeated multi-factor authentication requests, typically with a “yes”/”no” choice, and often very close prompts displayed on the device’s screen. will be done. Apple’s devices are just the latest rich target for this technique.
Both the Kremlin-backed Advanced Persistent Threat Group Fancy Bear and a ragtag group of teenagers known as Lapsus$ have successfully used this technique, also known as MFA prompt bombing. is known.
If a device owner is irritated by sudden sounds or a ton of notifications (basically blocking access to other phone features), or simply thinks the prompts are coming too soon, they can use other If you have been trained to click “Yes”/”Allow” to most prompts, clicking “Allow” could give the attacker the access they need. Or you may have to ignore so many prompts that your thumb or finger simply presses the wrong pixel, accidentally letting malicious people in.
Parth Patel, founder of an AI startup, detailed the attack on himself on March 22 In the thread of X (Formerly Twitter). Peirce said his Apple phone, watch and laptop all received “over 100 notifications” asking him to use those devices to reset his Apple password. Due to the nature of the prompt, it cannot be ignored or ignored until an action is taken, it will simply lock the device.
After ignoring the warning, Parth received a call that appeared to come from Apple’s official support line. Peirce asked to verify information about himself, and the caller was able to obtain his date of birth, email, current address, and previous addresses. However, Peirce had previously queried himself on a people search site and found a caller using one of the names frequently linked to reports. The caller also requested his Apple ID code, which was sent via SMS. This is the kind that explicitly follows “Do not share with anyone.”
Another target told Krebs that after receiving the reset notification for several days, he also received a call purporting to be from Apple Support. After the target took appropriate action (hanging up and he called Apple back), he unsurprisingly found that Apple had no record of any support issues. The target told Krebs that when he went to the Apple Store for a new iPhone, he traded in the iPhone and started a new iCloud account, but was still prompted for a password.
This isn’t the first time Apple has faced rate limiting.
It’s clear from these stories, and another detailed story on Krebs’ site, that Apple’s password reset scheme requires rate limiting or some other form of access control. It’s also worth noting that FIDO-compliant MFA is immune to such attacks.
To send a notification, just enter your phone number, email (Apple will provide you with the first characters on either side of the “@”), and a short CAPTCHA. And since I tried to enter other apps when I hit the reset prompt myself, it’s safe to say you can’t do much on the iPhone when the prompt is displayed. In a few minutes he was able to push three prompts, but at some point the prompts were blocked and told there was an error. Even when I switched to another browser, it continued to send spam without issue.
As one of Krebs’ sources pointed out, and Ars confirmed, when you receive a prompt on your Apple Watch (or at least some sizes of Apple Watch), there’s an “Allow” button to tap and a button below it. Only hints will be displayed. Scroll down and tap Don’t allow.
Ars has reached out to Apple for comment on this issue and will update this post with any new information. Apple has a support article about phishing messages and fake support calls, and if you receive an unsolicited or suspicious phone call from Apple, “hang up immediately” and report it to the FTC or local law enforcement. states that it is necessary to do so.
Apple has previously dealt with denial-of-service-like attacks on AirDrop. Kishan Bagaria, author of texts.com, detailed how Apple’s cross-device sharing system could be overwhelmed by his AirDrop share requests. Apple later fixed the bug in iOS 13.3, thanking Bagaria for his discovery. From now on, if your Apple device rejects his AirDrop request three times, future such requests will be automatically blocked.
Key advice from security vendor BeyondTrust to prevent MFA fatigue attacks includes limiting the number of authentication attempts within a time frame, blocking access after a failed attempt, adding geolocation or biometric requirements, increasing access factors, Includes things like flagging large number of attempts.
This post has been updated to include Apple’s support article regarding phishing calls.
Listing images by Kevin Purdy
[ad_2]
Source link
