You know that feeling when you’re busy and trying to focus on something and then BAM! You get a barrage of phone calls or emails, and it seems everyone is pulling you in one direction or the other. At some point, you just take action to get it all to stop so you can go back to your task. Attackers know this about us and there is an ongoing strategy that counts on you clicking a message away so you can continue. In this case, they claim you need to reset your Apple ID password and send a barrage of texts hoping you’ll just “allow” them to proceed in scamming you.
KrebsonSecurity investigated claims that several Apple users were getting “MFA bombed” with texts until they allowed them to send an MFA reset code. To the attackers’ credit, there was a “don’t allow” button as well, but with this and so many other attacks, they hope you’ll be in far too much of a rush to scroll down to find the “don’t allow.” In fact, even if you do take the time, it won’t stop the bombing and in fact, you may just get a “courtesy call” from the scam artist.
MFA bombing happens when you get inundated with messages with MFA codes. There are so many popups that you are worn down and click them away so you can get back to using your phone. In this case, they take it a step further. If you never click “allow,” they will actually call you (spoofing Apple’s phone number) and try to convince you that they are Apple Support trying to help. As is the case with a common Facebook Messenger attack, they will ask for a code you received after clicking the allow button. If you give it to them, they can reset your password and take over your phone number and Apple account. Considering all of the information that is attached to your Apple ID, that’s definitely not a positive thing.
The correct action for you is to hang up and call Apple Support directly, if in doubt. When a user tried to do just that, Apple was not able to say who may be calling, if anyone. However, they stressed that they will NOT call you unless you specifically request for them to do so.
According to some researchers, this attack is taking advantage of a flaw in Apple’s security. Unfortunately, there is nothing we can do to prevent this attack. Apple claims that enabling a recovery key in your settings will prevent anyone from sending a barrage of notifications. However, when it was tested by KrebsonSecurity, it did not turn out to be the case.
Just remember that if you are inundated with texts about anything, consider them very suspicious. After all, legitimate password reset MFA codes are not sent in a spam-like fashion. So if it happens, it’s probably someone phishing you.
While it might seem obvious, when we get notifications like that and they are not expected, it's natural to panic a little bit and just click something. Instead, stop and take a second. Then reach back into your memory and if you didn’t ask to reset your password for your Apple ID, or for any account, it might be an attacker trying to wear you down. Then log into your account directly using a link you already know and find out if there really is a problem. Most of the time, your instincts are correct.