iOS Phishing Attack Masks Itself As Apple-Style Password Request

These days phishing attacks are getting smarter and more deceiving. In the past it would be quite obvious to tell when you’ve received an email or visit a website that tries to mask itself as another website, like that of your bank. However a quick check of the sender’s email or the website’s URL or its internal links can give it away.

However it seems that Apple might have a phishing problem on its hands with iOS. Recently developer Felix Krause (via MacRumors) posted proof of concept of a phishing attack that iOS developers could use to gain the user’s Apple ID and password. As you can see in the screenshot above, this comes in the form of a password request that looks pretty much identical to the one that Apple uses themselves.

According to Krause, “Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.” That being said, it should be pointed out that this phishing method isn’t exactly new and that Apple usually checks apps for this before being accepted to the App Store.

However it’s still worth keeping an eye out for. Krause also shares a tip on how to tell if it is a phishing attempt, and all users have to do is press the home button when they receive the popup. If it goes away and closes the app, then it is tied in with the app, but if it remains then it is a genuine iOS system request. Krause has also reached out to Apple and recommended that they fix it, but whether or not they do is another story.

Tyler Lee
Categories: Apple, Cellphones, General
Tags: Hack, iOS, Security, Social Hit