I’m going to make this quick because your security and privacy depends on it. But first, a word from today’s sponsor!
I’m kidding, I’m still doing this for less than free. All the money’s in video, and who has time for that?
You are likely used to trusting operating system level alerts on your iOS devices. Apple has had a uniform method for preventing apps from doing official-looking alerts. However, if you receive an alert telling you to reset your password, giving you “Do Not Allow” and “Allow” options, and you didn’t trigger it yourself, for the love of all your data, chose “Do Not Allow.” If anyone calls you “from Apple” (and it will look like it’s from Apple) asking for your reset code, do not provide it.
The alerts are part of a clever new exploit in the wild. If you’re getting a number of alerts asking you to reset your password, you’re being attacked. All the attacker really needs is your phone number and email address. The two together makes their attack possible. The hack would allow another person to reset your Apple ID password, locking you out of your own iCloud data, all of your backed up information, and everything you have through Apple. It might be one of the most dangerous threats to your device, and it’s so easy to click or tap the wrong option. So, remember:
Do. Not. Allow.
Okay, now let’s talk about this exploit a bit more and how you can protect yourself.
The Reset Password Exploit
“Reset Password”
“Use this <iPhone/iPad/Mac/etc> to reset your Apple ID password”
“Do Not Allow” | “Allow”
You may see a message like the one above, even when you’re not using your phone. It could come on your iPhone, a Mac, your Apple Watch, any Apple device. It means you’re being targeted. Pressing allow will allow a hacker to reset your Apple ID password. If you see the above, you must click “Do Not Allow.”
The real issue with these alerts is that they’re system-level. Not only are you more likely to trust these, you have to interact with them to dismiss them. On top of that, the messaging seems fine. Of course you want to be able to reset your password with your own device. Why wouldn’t you? However, victims of this attack fortunately had a good reason to be suspicious of the alert: they received hundreds of them.
Seriously, how are the people who make these hacks so brilliant, and the people who try to use them utterly idiotic? Obviously spammed messages are fraudulent! But they’re hoping you’ll either get fed up and choose to allow the hack, or that you’ll believe the second step of the attack: a spoofed phone call from Apple.
A Highly Targeted Attack
Just because an attack needs to be targeted doesn’t mean it couldn’t be widespread. Your personal data is littered across the internet. You most certainly have been part of some data leak, not to mention the data brokers collecting and selling your data online. Your life is an open book for anyone who knows where to look. That means they could easily target you, even automate their less difficult steps and use more precise phishing once they know they have you on the hook.
Krebs on Security has a report mentioning a number of people who have been targeted by this attack. One user stated that he received hundreds of reset password notifications. After that, he received a phone call from someone spoofing Apple’s support phone number. To his phone, it seemed as though the call was coming from Apple Support. The person on the other end of the line had a large amount of information on him as well, likely scraped from leaks. However, just enough was wrong for Patel to realize it was a scam. The attacker used a people finder website to look up personal information on their victim, but fortunately, they got his name wrong.
The hack basically would ask you to allow your device to reset your password. If you refuse the notification, they’ll call you to try to intercept a password reset code. Then you get a code and provide that to “Apple Support,” who you believe called you about a problem. Once you give them the codes, they can reset your password using your authentication, and you’ll lose access to your Apple ID forever. Or perhaps they’ll decide to return access to you, for a price.
This hack is in the wild, and Apple has yet to address it or release an update to prevent it.
Dodging Attacks
Besides not falling for the reset password button or the phone call scams, you can change your password associated with your Apple account on your own. It’s possible they gained access to your password if you re-use it and had it released in part of another hack. If that’s the case, resetting your password on your own, not through this alert, could fix the problem. However, it seems as though the attackers are just taking advantage of Apple’s password reset tool, so changing your account password won’t fix anything. One victim says their attackers still were able to spam password reset notifications to them after they tried a new phone, new email address, and new iCloud account. Apple’s anti-scripting captcha seems like an older style, and may be exploited so hackers could use a script to hit some hundreds of times for requests.
If you do receive a phone call from Apple, and you are worried, tell them you’ll call them back. Hang up, and dial Apple’s real support number. If they fight you on this tactic, they’re definitely a scammer. This goes for any call you receive asking for your personal information. Whether its your bank, Apple, or any other company, if you didn’t call them yourself, provide no information. They’ll have record of the first call if it was really from the company and not a scammer.
The best things you can do now are 1) Do not trust phone calls that ask for your data, and 2) Do not agree to reset your password if you did not initiate the reset. This goes for any service, from any device, not just Apple. This is a common method to bypass two factor authentication. Don’t fall for it.
Hopefully Apple will improve their own systems, making their captcha better, adding rate limiting for password reset requests, and not spamming users who set up security keys and cannot unlock their device through Apple anyway. In my own testing, it did seem as though Apple may have already implemented some preventative measures. When I attempted to reset my password after denying the first request, I was presented with a dialog saying I couldn’t complete the action, giving me a generic error message. After trying again, I was told my session timed out. Apple may have started putting a fix in place. Still, if it’s only on the web site, someone could find a way around it. As a result, you’ll have to be careful not to allow any of these requests and not to give any information out to anyone who calls you. Remember, when in doubt, hang up, look up the real number for the company that you supposedly received a call from, and then call that number. Do not give out information to anyone who calls you, and do not click allow on any unexpected popups.
Sources:
- Filipe Espósito, 9to5Mac
- Brian Krebs, Krebs on Security