“MFA Fatigue” attack targets iPhone owners with endless password reset prompts
Human weaknesses are a rich target for phishing attacks. Making humans click “Don’t Allow” over and over again in a phone prompt that can’t be skipped is an angle some iCloud attackers are taking—and likely having some success.
Brian Krebs’ at Krebs on Security detailed the attacks in a recent post, noting that “MFA Fatigue Attacks” are a known attack strategy. By repeatedly hitting a potential victim’s device with multifactor authentication requests, the attack fills a device’s screen with prompts that typically have yes/no options, often very close together. Apple’s devices are just the latest rich target for this technique.
Both the Kremlin-backed Fancy Bear advanced persistent threat group and a rag-tag bunch of teenagers known as Lapsus$ have been known to use the technique, also known as MFA prompt bombing, successfully.