In a recent post, cybersecurity expert Brian Krebs detailed a concerning phishing attack technique known as "MFA Fatigue Attacks", which targets Apple device users. This attack strategy involves bombarding the victim's device with multiple multifactor authentication (MFA) prompts, filling the screen with yes/no options placed closely together. The goal is to exploit human weakness and prompt users to click "Allow" without thinking, granting attackers the access they need.

This attack technique, also known as MFA prompt bombing, has been successfully employed by various threat groups, including the Kremlin-backed Fancy Bear and a group called Lapsus$. This technique seeks to overwhelm the user with an influx of notifications, blocking access to other phone features and pressuring the user to make a hasty decision.

One victim, Parth Patel, a startup founder, recounted his experience with this attack. He received over 100 notifications on his Apple phone, watch, and laptop, all requesting to use his devices to reset his Apple password. The prompts couldn't be ignored or dismissed until acted upon, effectively locking up his devices. After dismissing the alerts, Patel received a spoofed call appearing to be from Apple's official support line. The caller had access to personal information such as Patel's date of birth, email, and current and former addresses. They also requested an Apple ID code sent by SMS, explicitly advising not to share it with anyone.

Another victim, who chose to remain anonymous, reported receiving reset notifications consecutively for several days, followed by a phone call purportedly from Apple support. Suspecting a scam, the individual hung up and contacted Apple, only to find that there was no record of any support issue. Even after trading in their iPhone and creating a new iCloud account, they continued to receive password prompts while at the Apple Store for a new device.

These incidents raise concerns about the effectiveness of Apple's password-reset scheme. It is clear that rate limiting or additional access control measures are needed to mitigate these types of attacks. It is worth noting that MFA systems compliant with FIDO (Fast Identity Online) standards are immune to such attacks.

The attack method itself is not overly complicated. Attackers only need a phone number, an email address (with Apple providing the first letters), and a short CAPTCHA to send the phishing notifications. Once the prompt appears on an iPhone, it restricts access to other apps until a decision is made. Some victims even reported accidentally clicking "Allow" due to the sheer volume of prompts or the prompts being too close together.

Interestingly, the attack also affects Apple Watch users, who are presented with just an "Allow" button and a barely visible "Don't Allow" option beneath it, requiring them to scroll down to make the safe choice.

Ars reached out to Apple for comment on the matter, and users are advised to report any suspicious phone calls from people claiming to be from Apple to the FTC or local law enforcement. Apple has previously dealt with denial-of-service-like attacks in AirDrop and has addressed them by implementing safeguards.

In order to prevent MFA fatigue attacks, security experts recommend measures such as limiting the number of authentication attempts within a time window, blocking access after failed attempts, implementing geolocation or biometric requirements, increasing access factors, and identifying high-volume attempts.

As Apple users become more aware of this new phishing technique, it is essential for both individuals and the company to stay vigilant against such attacks, taking necessary precautions to safeguard personal information and device security.