iPhone and iPad users have been warned about a new iOS phishing attack, which a security expert says makes it “shockingly easy” for cybercriminals to steal your password.
The phishing attack begins when users are presented with a familiar looking pop up, prompting them to enter the password to their Apple ID in order to download an app.
The pop up looks almost identical to the legitimate one shown by Apple, security researcher Felix Krause who created the proof of concept phishing attack wrote in a blog post.
Felix says that criminals could programme apps to run malicious code after Apple has approved the app into the App Store.
Users would then be presented with the fake pop up and enter their Apple ID password. The information would then be sent back to a server controlled by the criminals who could use the password to access the victim’s Apple account, potentially giving them access to credit card details.
“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation,”
“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
“This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”
If the victim then uses the same password from their Apple account elsewhere online such as on banking or social media sites, criminals could use it to access a variety of accounts.
Felix said users could easily protect themselves by simply hitting the home button whenever a pop up appears in iOS. If both the the pop up and the app disappear then it was a phishing attack, he claims.
He said users can go one step further by dismissing pop ups altogether and only entering password information for an account via the Settings app.
“This is the same concept [as never clicking]on links on emails, but instead open the website manually,” he added