What is MFA bombing? Apple users were targeted using this phishing technique

You see a system prompt about your password on your iPhone. You click “Don't allow”. Then this happens again and again, one after the other. At some point, you may get angry or start to panic and click “Allow.”

Then, you get a call from an “Apple representative” to help you reset your password, but when they verify your information, you see they got your name wrong. that's exactly it what happened to a man Who was lucky enough to notice this drama before it was too late.

If he didn't realize something was wrong, his account would have been locked, while the attackers would have got access to all his personal information. That's the goal of this new form of phishing attack called MFA bombing or push bombing.

What is MFA bombing?

MFA bombing or push bombing is a new thing phishing techniques This reveals a sophisticated development in strategy – it exploits both technical vulnerabilities and human psychology.

Attackers bombard the system with signals, flooding the user's device until they feel “notification fatigue.” Once overwhelmed, the victim is more likely to mistakenly accept a malicious request.

What effect does this have on Apple users?

After a burst of signals, the user receives a phone call from someone Claiming to be from Apple Support, The displayed phone number can be spoofed to appear as Apple's official support number, adding a layer of perceived legitimacy to the call.

During this call, an “Apple representative” will inform the user that their account is under attack or at risk, creating a sense of urgency and fear in the user. Then, they'll go for it phishing pitch, The attackers will claim that to secure the account, they need to “verify” the user's identity or account status using a one-time password, which Apple allegedly sent to the user's device.

Once assured, the user can provide the caller with a one-time password. This is an important piece of password information that, under normal circumstances, is used to confirm the identity of the account holder during a valid password reset or account unlock process.

Once the attacker has obtained the one-time password, they can complete the password reset process. This will effectively lock out the legitimate user while attackers gain access to the user's Apple ID and linked services.

How to protect your devices

To protect against such attacks, it is important:

• Remember to click “Don't allow” for prompts you didn't request. If you see these coming up consistently, report them.
• Be suspicious of unsolicited calls asking for sensitive information, even if they come from a legitimate source.
• Always verify the identity of the person you are talking to. If something seems strange, hang up and call the official support number available on the company's website.
• Use additional verification steps, such as setting up Recovery Key As Apple suggests adding additional layers of security to your account.

Ways to reduce phishing attacks

As attackers refine their strategies, the industry must continually adapt its defenses. To tame these types of attacks, tech companies need to review their system designs to limit the number of password requests.

Also, it is important to continuously share information about such threats and effective countermeasures across the industry to stay ahead of attackers. Addressing these issues as soon as they arise makes a real difference – both users and technology providers need to report them.

embracing our security

Although specific vulnerabilities and attack methods may change, we must keep working to gain an edge. It is essential to continually improve systems, report what is happening, and implement strong security measures.