Yesterday, we learned about the ZenHammer flaw in AMD hardware, which can lead to memory alterations. While this weakness can be difficult to exploit for the average attacker, malicious attempts to breach security don't always need to be highly technical. Such is the case with the latest "MFA Bombing" attacks that are currently targeting Apple customers.

What is MFA Bombing, and how are Apple users being targeted?

According to Krebs On Security, many Apple customers globally have been flooded with system-level notifications on their devices, prompting them to reset their Apple ID password. Until you allow or disallow each of these requests manually, it is not possible to use your device. This process is called multi-factor authentication (MFA) Bombing, where the victim persistently receives credential reset or login notifications until they inadvertently click the "approve" button or do the same out of fatigue just so they can use their devices.

However, this attack is slightly more sophisticated than a typical MFA Bombing attack. If the victim keeps disapproving password reset requests, the attacker calls the victim and attempts to get the latter's password. Interestingly, they spoof Apple's actual support line and also share details about the victim's personal data in an attempt to convince the victim that they are legitimate.

How is this attack being carried out, and how do I protect myself?

Krebs on Security has noted that sending password reset attempts to someone is as simple as visiting Apple's password reset website, entering an email ID, and solving a CAPTCHA. Similarly, the outlet speculates that data about certain victims can be procured from websites like PeopleDataLabs. That said, the true method of the cyberattack is still unknown, as is its scale and identity of the perpetrator(s). Some security researchers have emphasized that this attack also highlights the flaws in Apple's authentication system, which apparently has no rate limits for MFA requests.

Until Apple confirms and resolves the issue on its end, it is important for its customers to remain highly vigilant while handling MFA notifications. It is also important to remember that the Cupertino firm doesn't send outbound calls to customers unless they are explicitly requested so be wary of sharing your sensitive information with untrusted sources.