An Apple ID spearphishing campaign utilizing “push bombing” and caller ID spoofing has targeted several tech professionals over the past few weeks, including startup founders and cybersecurity pros.
Parth Patel, a software engineer and co-founder of a stealth tech startup, first publicly detailed the campaign on Saturday in a post thread on X, stating he and other startup founders in his circle were targeted.
Patel reported that he began receiving a barrage of push notifications on all of his Apple devices beginning on Friday night, all requesting permission to reset his Apple ID password.
Because these were “system level alerts,” Patel explained, they could not be easily dismissed and required him to tap “Disallow” on every prompt in order to continue using his devices.
Patel said he received more than 100 notifications in succession, and shortly after clearing them all, he received a phone call with a spoofed caller ID impersonating Apple’s legitimate support phone line that requested him to relay a one-time password (OTP) sent to his phone.
When requested, the caller was able to recite accurate personal information about Patel, such as his date of birth and current address, but did not get Patel’s first name correct. Patel later discovered that his personal information, paired with the same incorrect first name, was potentially acquired from a “people search” site known as People Data Labs.
A report by Krebs on Security published Tuesday recounts two additional testimonies from a cryptocurrency hedge fund owner and security industry veteran, who described being targeted with similar campaigns.
One target found that the notification spam persisted even after he purchased a new iPhone and opened a new iCloud account, suggesting that his phone number was all that was needed to continue the push bombing attack.
“If you haven’t already, I’d highly suggest scrubbing yourself from people data aggregators such as People Data Labs, Spokeo, Pimeyes, Social Catfish, and others,” Parth wrote in a follow-up post.
Apple spam attack could lead to iCloud takeover, remote device wiping
While there appear to be no public reports of targets falling for this Apple ID password reset scam, the potential consequences of hitting “Allow” on any of the hundreds of prompts, or relaying an OTP over the phone, are dire.
A successful attack would enable the attacker to take over the victim’s iCloud account, potentially accessing sensitive photos, notes and files, or remotely wiping devices via the “Find My” feature.
Even if the target has a good awareness of phishing tactics and knows not to respond to an unsolicited password reset or multi-factor authentication requests, there is the possibility of accidental misclicks, especially when so many prompts must be manually cleared.
One of the targets, who received the notifications in the middle of the night on his Apple Watch noted the device’s small screen meant he need to scroll the watch wheel to see the “Don’t Allow” button.
“It’s scary because everything is tied to these master accounts that people are not even aware of. Imagine losing access to your phone, photos, passwords, contacts, etc., overnight,” Kunal Agarwal, CEO and founder of cybersecurity startup dope.security, told SC Media in an email.
Agarwal also became of target of the campaign, telling SC Media that he received hundreds of notifications over the past few weeks and still continues to receive them, but finds it easy to clear them and always avoids picking up calls from unknown sources.
“It’s a relief that Apple & other companies prioritize security heavily, so I have confidence that they will sort it out. In the meantime, consumers need to be extra vigilant for these kinds of attacks. For founders that have been targeted, it’s especially high stakes because you’re responsible and in control of many other people’s lives,” Agarwal said.
One of the targets was reportedly told by a senior Apple engineer that activating the Apple Recovery Key feature would prevent password reset requests from being received, but he continued receiving notifications even after turning this option on, according to Krebs on Security.
An Apple spokesperson declined to say whether the company was investigating potential bugs or vulnerabilities related to this campaign, such as a lack of rate limits for password reset requests. In an email to SC Media, the Apple spokesperson included a link to and excerpts from Apple’s support page for recognizing and avoiding phishing and other scams.
“If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up,” one of the excerpts reads. “You can report scam phone calls to the Federal Trade Commission (U.S. only) at reportfraud.ftc.gov or to your local law enforcement agency.”
The support page also states that Apple never asks users for their password or verification codes to provide support.