“MFA bombing”, or “rapid MFA bombing” in plain French, has been gaining popularity recently. This simple hacking method makes it possible to corrupt an Apple account. Explanations.
Drowning an Internet user in notifications in the hope of stealing personal information. This is essentially how a new attack vector called “MFA bombing” works. In the United States, it seems that a major Apple account hacking campaign is based on this new method of data theft.
A kind of notification fatigue
The principle is simple: a malicious hacker, who has your password thanks to some data leak, will try to connect to your account many times. The system, not recognizing the IP or machine from which the connection attempt came, will then send a notification to the legitimate user’s phone, asking them to validate the connection or not. If the owner legitimately clicks on “Refuse”, an automatic script will resend the request, again, and again, and again, until the victim, tired of seeing their phone rendered unusable under the weight of notifications , finally click on “Accept”.
This is exactly what happened to Parth Patel, an American engineer who shared his story on the blog KrebsOnSecurity. His iPhone, iPad and Apple Watch started blinking incessantly with notifications asking to reset his Apple account password. But in this case, as with other victims who also testified, the scam went a step further.
Even after carefully refusing hundreds of requests, Parth Patel received a phone call appearing to come from Apple’s after-sales service. On the other end of the line, a voice informs him that his account is currently the subject of a cyberattack and that he needs to share an access code to verify his identity and stop the deluge of notifications.
The goal is to actually exploit Apple’s system which allows you to reset your password using a one-time code sent by SMS. If the code is shared with the fake Apple employee, then bingo, the account is permanently corrupted.
A denial of service attack
The problem lies in the fact that, at Apple, password reset attempts can be initiated by simply providing the victim’s email address and telephone number, data easily found in illegal databases sold on the Web. But above all, it is possible to send hundreds of connection confirmation requests before the user has even responded to the first, making it possible to drown a phone under a denial of service attack. .
So be careful if you receive suspicious connection guests on your iPhone and never agree to communicate codes over the phone to so-called Apple after-sales service employees. They will never call you directly, unless you specifically request it.
Source : KrebsOnSecurity
4