If you get an unexpected call from Apple Support, you're being hacked

Have you ever had an unexpected direct phone call from Apple support? I have not, and if you do ever receive one, you probably aren't talking to Apple. The company says you should immediately hang up.

"If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up," the company support website states.

Don't fall for it

Other things it warns against are suspicious calendar invitations in Mail or Calendar, annoying pop-ups in the browser, unexpected software download prompts, and fraudulent emails.

The company offers up reporting tools you can use to tell Apple if you experience any of these, and if you have had such experiences, you should report them.

What makes this advice relevant right now is a new phishing scam in operation in which people are receiving convincing looking Apple ID password reset warnings, sometimes followed by unsolicited calls claiming to be from Apple.

It's an attempt to abuse the Multi Factor Authentication (MFA) system Apple's devices are protected by.

What happens during an attack

These are sophisticated attacks

Critical to understanding the nature of this attack is knowing that if you are targeted by it, you have probably already been selected as an attack target. These are relatively organized attempts, and whoever is behind an attack will already have researched for some details about the victim.

That's because they need to have the email address and phone number associated with your Apple ID. Those details may come from data brokers and people search websites, such as PeopleDataLabs, KrebsOnSecurity suggested earlier this week.

The attackers need to have sourced information about the target to come across as genuine in the all-important phone call during which they con the target into sharing the reset code. In other words, these are highly tactical, planned attacks in which hackers have assembled large quantities of personal data.

Michael Covington, VP of Portfolio Strategy at Jamf puts it this way: "MFA bombing presents a challenge to any targeted user, as they are forced to sift through a deluge of notifications with the fear of being victimized further if just one mistake is made.

"What they don't realize, however, is that this attack is typically preceded by a successful compromise of the user's credentials, thus allowing a hacker to initiate the sign-in process."

Jamf recently warned that many Apple-using businesses are still soft targets for such attemps.

How to protect yourself

There are some simple ways to protect yourself against these kinds of social-engineering enhanced attacks:

If you experience an attack like this, you should report them using details provided by Apple support. Reporting is a vital protection against attacks like these. If everyone does report them, Apple's systems can more swiftly be tweaked to intercept such attacks.

Expect a security update

The second thing every Apple user should do is keep all their devices updated. Devices running older operating systems frequently carry unpatched vulnerabilities that attackers may exploit.

It's plausible to think Apple's security teams will react to attacks such as this one with changes in the OS to protect against the attack method. That's almost certainly the case this time, as this attack exploits a bug that lets attackers bypass the number of Forgot Password requests allowed by Apple. I'm certain Apple's teams are already working on securing that, unless they have already.

Finally, trust your instincts. Don't click on links from people you don't know, and don't take phone calls from dodgy support entities you haven't requested.

Please follow me on Mastodon, or join me in the AppleHolic's bar & grill and Apple Discussions groups on MeWe.