Some users Applewith devices iPhone, Mac And iPadhave been and continue to be victims of a sophisticated attack, defined Push Bombing. It consists of a frequent sequence of password reset notifications. iPhones are mostly affected and become unusable. MHow does this technique work? And what to do in case of an attack?
Personalities in the tech and artificial intelligence fields have recently been targeted, whose sensitive data and information can be valuable to bad actors. An attack therefore aimed at people whose contact information was somehow available online. The first victim of the attack who documented every step is the user on Parth Patel, entrepreneur active in the field of generative AI. Once the attack against him failed, he denounced the methods on social media to warn other users. The aim of the attackers was to steal his Apple ID through the phishing technique, perpetrated this time with greater precision.
The technique studied in detail
According to what the user reported, the criminals obtained his data Osint (Open Source INTelligence), i.e. information collected from publicly accessible sources; websites, social media or other resources can in fact be a repository of information, particularly sensitive ones, especially if you are, as in Patel’s case, founders of some digital reality or active in AI.
Once we have your information, all of his Apple devices showed a password reset request notification. Since these are system alerts, they do not allow you to use the device on which these notifications appear. It would be enough to tap on “Do not allow” to be able to use the devices again: but the victim was thereliterally bombarded with notifications (hence the name of the Push Bombing attack). According to the user who first reported the method, There were more than 100 password reset notifications.
The second part of the attack
A few minutes after, the attackers used the Caller ID spoofing technique. Explained in simple words, the attackers used a tool that allows you to replicate an official telephone number, even if you don’t actually use it. With this software, hackers are able to mask your phone number with an apparently trustworthy number. In Patel’s case, an official Apple support phone number was used. This technique is useful for gaining the victim’s trust and stealing sensitive information. The criminals have collected a lot of information about Patel. Date of birth, email address, telephone number, home address and previous records; in short, a precise, targeted and sophisticated attack. But what information did they want from Parth?
Do not share the OTP with anyone!
Two-factor authentication sends a short-lived code that is generated from time to time. This can be delivered by email, SMS, or distributed by apps like Authenticator. The companies are always very clear in these messages: the code should never be shared with anyone. Having this code grants full access to a specific accountbecause it will be able to allow the change of password, email address and all other information, such as this is possible lose complete access to your account and all material associated with itsuch as photos, documents and so on.
Obviously the hackers who designed this sophisticated attack, they really wanted the Otp code and called Patel to convince him to give it to them. Push bombing asked for password reset in over 100 notifications. Press by accident (or purposely) he would have sent an Otp code to reset it. Communicate the code to the attackers, would have allowed them to steal the victim’s account.
How to defend yourself from attack
Like almost every attack of this type, the underlying technique is phishing. It comes from the English verb “to fish”, because hackers generally throw bait, but with greater reach, in the hope that someone will “take the bait”. But this attack is completely different, because it is targeted and uses multiple techniques: phishing, social engineering techniques and spoofing. These three modes try to instill confidence in the victim, convincing her that these are authentic channels. The end is always the same: steal accounts with valuable data inside.
In this case it is also exploited an alleged flaw in Apple’s security system. With the massive sending of these notifications that make all devices unusable, they “paralyze” the user’s devices who must deny password reset requests every time, with the possibility of pressing «Allow» by mistake and receiving the Otp code. Communicating it by mistake risks compromising the security of your data and be banned from your account.
){kind=link}