MFA Fatigue Attacks Targeting iCloud Users

iCloud attackers have a new phishing technique. Security professionals call it “MFA Fatigue Attacks.” According to an article in Ars Technica, the victim’s device is hit with repeated multi-factor authentication requests, filling the screen with prompts that have yes/no options.

The device operator typically becomes annoyed by the tsunami of prompts that block other features and begins robotically clicking Yes/Allow, which gives the attackers access.

Even a fastidious operator can make a mistake when dismissing so many prompts, i.e. hitting a wrong pixel with their thumb or forefinger and letting the attacker in by accident. Apple devices seem to be the latest target for this technique. 

A phish who got caught told Brian Krebs’ at Krebs on Security of receiving reset notifications for several days, then a call purportedly from Apple support. He was careful enough to do the right thing — hang up and call Apple back— and discovered there was no record of a support issue. He then traded in his iPhone and started a new iCloud account, but still received phony password prompts, which started while he was still at the Apple Store getting his new iPhone.

In a support article about phishing messages and bogus support calls, Apple advises anyone receiving such suspicious communications to hang up and make a report to the FTC or local law enforcement.

BeyondTrust, a security firm, suggests a variety of methods for foiling MFA Fatigue Attacks: limiting the number of authentication attempts in a predetermined time window; blocking access after failed attempts; adding geolocation or biometric requirements; increasing access factors; and flagging high-volume attempts.