Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

[Abthevolfan92]

by saying users roughly how many are having this happen? Is this a huge thing going on or only with a select few

 

[vegetassj4]

Hopefully you’re joking, because that’s as fake as it can be.

indeed

 

[sw1tcher]

It's occurring to me that allowing my iPhone to be the center of my financial and personal life is unwise and I'm taking steps to fix that.

After seeing this

I too realized using your iPhone to manage everything is not a good idea.

 

[aidler]

Let's see if Apple fixes the problem as quickly and creatively as they squeezed out Beeper from iMessage. I suspect not, because this time it's only the users who are affected and not Apple's wallet.

 

[fbr$]

The attack seems to hinge on the perpetrator having access to the email address and phone number associated with an Apple ID.

I never give my Apple ID's email to anyone. It's an email used only for the Apple ID.

 

[Mr. Heckles]

I never give my Apple ID's email to anyone. It's an email used only for the Apple ID.

But you give your phone number out to people. And all the breaches lately, it’s definitely out there.

 

[mike2q]

And the DOJ and EU keep tearing down the Apple ecosystem. What insanity

I'm not sure what you're point is here but this has nothing to do with this particular issue. If your argument is that the availability of alternative app stores has somehow weakened security then you're either living in a propaganda fantasy land or a greedy Apple exec throwing out a red herring. Either way, you couldn't be more on the wrong side of this issue.
Apple has not opened up anything outside of the EU and still they are facing the same issues as every other OS. Clearly their closed system doesn't protect you. It only protects Apples insane profit margin.

 

[Shasterball]

This is annoyingly sophisticated. And yes - agree - always call the company back. If someone ever tries to rush you or instill a sense of urgency, you 100% know it's not legit.

 

[vegetassj4]

Man, they are scamming off of the phising. 🤦‍♂️

I am looking for other websites on the topic and came across this (I posted it as a picture so that someone won't inadevertently go to the scam website) Yes, it certainly looks suspect even in the Google search, but I wanted to see.



it gives the following popup:

 

[vegetassj4]

Never trust a company to call you out of the blue! Just tell them you are hanging up and contacting that company directly.

Or do something similar to what I did to a scam caller who told me my "Windows 10 install had a virus": string them along for a half hour, acting like you are following directions and finally say "I don't have windows".

Dude cussed me out six ways to Sunday, then hung up on me LOL. Good Fun

 

[Mr. Heckles]

Or do something similar to what I did to a scam caller who told me my "Windows 10 install had a virus": string them along for a half hour, acting like you are following directions and finally say "I don't have windows".

Dude cussed me out six ways to Sunday, then hung up on me LOL. Good Fun

That was amazing! Too bad you didn’t record it.

 

[Shirasaki]

And the DOJ and EU keep tearing down the Apple ecosystem. What insanity

Yeah sure DOJ and EU has been complaining apple’s own security measure is “monopolistic” and “hurt competitors”.
Totally legit.

 

[Shirasaki]

That was amazing! Too bad you didn’t record it.

YouTube scam callers have better ones. But I agree his call is amazing.

 

[vegetassj4]

That was amazing! Too bad you didn’t record it.

Illegal w/o both party consent in my State, though I doubt he would have complained or been available to be a witness in the event that LEOs even cared, LOL.

 

[Shirasaki]

Let's see if Apple fixes the problem as quickly and creatively as they squeezed out Beeper from iMessage. I suspect not, because this time it's only the users who are affected and not Apple's wallet.

Yeah I fear Apple will take their sweet sweet time to figure out this issue and fix it, which could take untold amount of time.

 

[jarman92]

I get asked EVERY TIME I open my phone. "Oh, some icloud stuff isn't syncing. they it says, oh, health isn't syncing.

I do not want 2FA, my wife often goes to China and has no signal and when if it asks for a code from her phone, I'll be trapped until she finds a signal.

I have been denying 2FA for years and for years I get pop ups with 'subtle' hints. You can't make them go away, and on the MacBook the notification pops up, you click the X to dismiss, but that only brings up the system preferences dialog box.

as far as I'm concerned, the first 100 times I tell it NO, it's HARASSMENT when they keep trying to 'fool' me to sign up.

every time I update, it rushes thru the choices hoping I'll click continue accidentally and bam, now I have to turn off 2FA and change my password etc., et.al.

now this is pushing and frankly, I wouldn't have known.

This is a terrible idea…nobody should forego 2FA on important accounts in 2024. And your reasoning makes no sense—why would your wife’s phone be involved at all? Only your own Apple devices and/or your phone number should be pinged to confirm your Apple ID.

And even if it did make sense, you can (and should) enable 2FA using a security key.

 

[Shirasaki]

Such a bummer to those people accusing sideloading reducing iOS security when this exploit and phishing attack doesn’t need sideloading at all. Wonder how that claim holds up.

 

[JCCL]

iCloud Lock was the worst thing Apple has done to the iPhone. Some people legit get permanently locked out of their own phones because of it.

Yeah. I bet that it locks out way more thieves than legit users.

 

[Shirasaki]

This is a terrible idea…nobody should forego 2FA on important accounts in 2024. And your reasoning makes no sense—why would your wife’s phone be involved at all? Only your own Apple devices and/or your phone number should be pinged to confirm your Apple ID.

And even if it did make sense, you can (and should) enable 2FA using a security key.

What if they both uses the same Apple ID? 2FA on trusted device only need the same Apple ID to be logged in across all devices.

And, 2FA can both protect your account and locks you out of said account, unless the fallback exists and difficult to exploit, which is a big ask for a mass adopted security measure like this.

I’m not against 2FA. I’m saying his concern and fear of using 2FA is not unfounded. I resisted 2FA for as long as possible until the company I worked for mandated it.

Let’s also not forget single Apple device scenario, which 2FA could lock user out of account simply by virtue losing said device.

 

[jarman92]

What if they both uses the same Apple ID? 2FA on trusted device only need the same Apple ID to be logged in across all devices.

And, 2FA can both protect your account and locks you out of said account, unless the fallback exists and difficult to exploit, which is a big ask for a mass adopted security measure like this.

I’m not against 2FA. I’m saying his concern and fear of using 2FA is not unfounded. I resisted 2FA for as long as possible until the company I worked for mandated it.

Let’s also not forget single Apple device scenario, which 2FA could lock user out of account simply by virtue losing said device.

I refuse to accept that a grown person who participates in the MacRumors forums in the year of our Lord 2024 could be obtuse enough to be sharing an Apple ID. It’s just outrageously, inconceivably stupid and entirely unnecessary.

But even in such a scenario, security keys would solve the problem, as would simply getting a wireless plan with international data or any number of cheap international eSIMs.

And your final concern isn’t really a concern, because you can now set up a recovery contact.

 

[Mr. Heckles]

What if they both uses the same Apple ID? 2FA on trusted device only need the same Apple ID to be logged in across all devices.

Apple IDs were not set up for this, it’s 1 Apple ID for 1 person. It’s. It Apples fault you’re not using it right.

And, 2FA can both protect your account and locks you out of said account, unless the fallback exists and difficult to exploit, which is a big ask for a mass adopted security measure like this.

its your responsibility to set up back-up ways. There are many ways.

I’m not against 2FA. I’m saying his concern and fear of using 2FA is not unfounded. I resisted 2FA for as long as possible until the company I worked for mandated it.

Let’s also not forget single Apple device scenario, which 2FA could lock user out of account simply by virtue losing said device.

You can set up a recovery contact. My mom only had an iPhone for years, and she broke it (her only device for 2FA). She went to the Apple Store, got a new phone/replacement, activated it, and got a text for her 2FA. If a 70 year old person can do this, I bet you can.

 

[neuropsychguy]

Such a bummer to those people accusing sideloading reducing iOS security when this exploit and phishing attack doesn’t need sideloading at all. Wonder how that claim holds up.

What? That doesn’t have anything to do with this issue.

Side loading, in any case, is less secure. I’m in favor of it, but we have to be honest and recognize that it would allow additional security risks that don’t currently exist. That's statistics. It also likely would not fix any security issues unless all side loaded apps are more secure than non-side loaded ones. This makes allowing side loading less secure overall. That doesn't mean there should be no side loading, it just means that it is less secure and a risk people need to be aware of.

 

[scorpio vega]

iCloud Lock was the worst thing Apple has done to the iPhone. Some people legit get permanently locked out of their own phones because of it.

iCloud lock is great.

 

[scorpio vega]

Clearly their closed system doesn't protect you. It only protects Apples insane profit margin.

Protects me more than lagdroid

Such a bummer to those people accusing sideloading reducing iOS security when this exploit and phishing attack doesn’t need sideloading at all. Wonder how that claim holds up.

Sideloading is a security risk. A closed system doesn’t mean it can’t be completely infiltrated

 

[tonmischa]

I don't get it.

When I go to iforgot.apple.com , I have to enter E-Mail and phone number.
Then the pop-up appears on all my devices.
Then I can change the password ON MY DEVICE.

But NOT in the WEB BROWSER that the attacker uses.

Did I miss something?
Did Apple already change something?