Crooks are using Apple's own iPhone password reset system to hijack accounts, here's how

How to reset your Apple ID password
(Image credit: iMore)

Your Apple ID is the key to your Apple identity, which is probably why that's what it's called. It's what you sign into all of your devices with and it's how you get access to your contacts, backups, photos and videos, and more. And losing access to it can be devastating. That's what makes a new wave of Apple ID scams so worrying, and there doesn't seem to be a way to prevent them from happening beyond staying vigilant and hoping that the scammers don't turn their attention to you.

The scam is a relatively simple one. According to reports, attackers bombard an iPhone owner with notification after notification by trying to reset the person's Apple ID password via the Apple website. That action triggers the message from Apple's servers and users are asked to allow or deny a password reset. If they press the Allow button, the attacker will be able to reset the password and potentially gain access to the Apple ID.

But it turns out that pressing Do Not Allow isn't enough to stay safe, either. If the user presses that button the second stage of the attack is initiated. And according to one person who suffered through this scenario, it'll be a pretty convincing one that some people may well fall foul of. Others will have accidentally pressed the Allow button before that happens, but for the lucky ones, the nightmare is just beginning.

Security watch

KrebsOnSecurity reports on one attack that befell Parth Patel, an entrepreneur working to build an AI startup. According to them, they received more than a hundred notifications requesting a password reset, seemingly in the hope that they would accidentally press the wrong button or just press Allow out of frustration.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

After declining the notification Patel then received a phone call from what appeared to be Apple. The attackers spoofed Apple's customer support phone number.

“I pick up the phone and I’m super suspicious,” Patel said. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

There was one anomaly, however.  The attacker gave Patel the wrong first name and that was enough to give the game away. But others may not be so lucky.

Those who do fall for the second half of the scam will receive a text message with a one-time passcode before being asked to hand it over. If they do, the attackers will have all they need to reset the Apple ID's password. From there, it's game over.

Another iPhone owner who experienced the same attack hung up the call and phoned Apple back to confirm it was legitimate. It wasn't, with Apple's support team confirming that employees will never call customers out of the blue — only when they've been asked to.

That appears to be the key here, although it doesn't help deal with the initial part of the attack that fills a person's iPhone with notifications. One user even said they received the alert on their Apple Watch overnight and could have accidentally tapped the Allow button — a mistake that could have had catastrophic consequences.

More from iMore

Oliver Haslam
Contributor

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.