A tech expert has warned Apple users about a potential iPhone phishing scam that could be used to steal their personal details via fake mobile apps.
App expert Felix Krause has shown on his blog how easily a fake iPhone Apple or iTunes account pop-up – which appear frequently to Apple users on their smartphones and tablets to prompt them to enter their Apple ID when downloading a new app or updating their iOS software – can be created.
Phishing attacks are designed to replicate a familiar tech interface to trick users into entering their passwords, bank card details, and other usually secret information that can give access to their online accounts. Phishing attacks are more common via email but are increasingly appearing in mobile apps.
iOS is the software that runs on all Apple devices.
Krause points out that Apple users have been “trained” by long practice to enter their Apple ID whenever the ‘Sign In To iTunes Store’ or ‘Sign-in Required’ pop-ups appear on their screen. He says that a scammer could potentially put an app in Apple’s App Store that appears legitimate – thus circumventing Apple’s vetting procedure – then later implement the fraud pop-up after the app is in the store.
“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation,” he explains in his blog post
“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
“This could easily be abused by any app … Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”
He notes that two-factor authentication would prevent such a scam succeeding, but that many users didn’t enable that second layer of security on their Apple account. He also pointed out that many people used the same username and password on their Apple account as on other apps and accounts, which means that once a scammer knows the combination, they could try to hack a users’ other accounts.
He posted some screenshots on Twitter of a real Apple pop-up, and his faked one, as an example of how it was possible to create a very legitimate-looking fake pop-up.
Krause, who specialises in creating apps, not creating scams, advises users that if they do receive a pop-up such as this, to press their Home button to close the app. If the pop-up goes away with the app, that means the pop-up is attached to the app and is a phishing attempt. But if it stays on the screen, it’s a legitimate request from Apple.