Interesting and scary thread over at Xitter describing what appears to be a series of targeted attacks designed to hijack iCloud accounts by doing something that causes the user's device to be inundated with push OTP requests. The idea seems to be that if they send enough requests, the target might eventually click yes -- either by accident after denying it the 59th time, or because they just want to make the prompts stop.

It's worth noting that in the end game of this attack, the scammers apparently relied on data from people-search services to gather the target's data and contact the user directly posing as Apple. And when you ask them info about yourself to verify you, they can usually read off enough details to fool people into thinking they're actually talking to Apple. And then they ask you to verify a one-time code, and if you do that, your account is toast.

twitter.com/parth220_/status/1

@briankrebs All exploits are ultimately exercises in social engineering.

Follow

@KF7RHB @briankrebs "0-click" exploits, though; those can be purely technical.

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml