Your Apple ID is the key to your Apple identity, which is probably why that's what it's called. It's what you sign into all of your devices with and it's how you get access to your contacts, backups, photos and videos, and more. And losing access to it can be devastating. That's what makes a new wave of Apple ID scams so worrying, and there doesn't seem to be a way to prevent them from happening beyond staying vigilant and hoping that the scammers don't turn their attention to you.
The scam is a relatively simple one. According to reports, attackers bombard an iPhone owner with notification after notification by trying to reset the person's Apple ID password via the Apple website. That action triggers the message from Apple's servers and users are asked to allow or deny a password reset. If they press the Allow button, the attacker will be able to reset the password and potentially gain access to the Apple ID.
But it turns out that pressing Do Not Allow isn't enough to stay safe, either. If the user presses that button the second stage of the attack is initiated. And according to one person who suffered through this scenario, it'll be a pretty convincing one that some people may well fall foul of. Others will have accidentally pressed the Allow button before that happens, but for the lucky ones, the nightmare is just beginning.
Security watch
KrebsOnSecurity reports on one attack that befell Parth Patel, an entrepreneur working to build an AI startup. According to them, they received more than a hundred notifications requesting a password reset, seemingly in the hope that they would accidentally press the wrong button or just press Allow out of frustration.
“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”
After declining the notification Patel then received a phone call from what appeared to be Apple. The attackers spoofed Apple's customer support phone number.
“I pick up the phone and I’m super suspicious,” Patel said. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”
There was one anomaly, however. The attacker gave Patel the wrong first name and that was enough to give the game away. But others may not be so lucky.
Those who do fall for the second half of the scam will receive a text message with a one-time passcode before being asked to hand it over. If they do, the attackers will have all they need to reset the Apple ID's password. From there, it's game over.
Another iPhone owner who experienced the same attack hung up the call and phoned Apple back to confirm it was legitimate. It wasn't, with Apple's support team confirming that employees will never call customers out of the blue — only when they've been asked to.
That appears to be the key here, although it doesn't help deal with the initial part of the attack that fills a person's iPhone with notifications. One user even said they received the alert on their Apple Watch overnight and could have accidentally tapped the Allow button — a mistake that could have had catastrophic consequences.
