Matt Mullenweg:
One evening last month, my Apple Watch, iPhone, and Mac all lit up
with a message prompting me to reset my password. This came out of
nowhere; I hadn’t done anything to elicit it. I even had Lockdown
Mode running on all my devices. It didn’t matter. Someone
was spamming Apple’s legitimate password reset flow against my
account — a technique Krebs documented back in 2024. I
dismissed the prompts, but the stage was set.What made the attack impressive was the next move: The scammers
actually contacted Apple Support themselves, pretending to be me,
and opened a real case claiming I’d lost my phone and needed to
update my number. That generated a real case ID, and triggered
real Apple emails to my inbox, properly signed, from Apple’s
actual servers. These were legitimate; no filter on earth could
have caught them.Then “Alexander from Apple Support” called. He was calm,
knowledgeable, and careful. His first moves were solid security
advice: check your account, verify nothing’s changed, consider
updating your password. He was so good that I actually thanked him
for being excellent at his job.That, of course, was when he moved into the next phase of
the attack.
What makes this attack so dastardly is that parts of it are actual emails from Apple. And because the attackers are the ones who opened the support incident, when they called Mullenweg, they knew the case ID from the legitimate emails sent by Apple.
One of the tells that alerted Mullenweg that this was a scam was that he knew he hadn’t initiated any of it, so his guard was up from the start. Another is that the scammer texted him a link pointing to the domain “audit-apple.com” (which domain is now defunct). That domain name looks obviously fake to me. But to most people? Most people have no idea that whatever-apple.com is totally different than whatever.apple.com.
