11 October 2017

Malicious iOS app popup windows could be stealing your Apple ID

Cybercriminals have a surefire way to steal Apple ID credentials: Just ask users to provide them.

A blog post by software engineer and fastlane founder Felix Krause reveals that it's dead simple to spoof iOS popups that ask for Apple ID passwords. What makes it worse, Krause said, is that we're trained to put in passwords for a variety of reasons in a variety of apps.

The average user won't question the legitimacy of an Apple ID password request, which makes the spoof a very dangerous form of phishing. All an app needs to do is show a UIAlertController popup—an incredibly common part of an app.

As impossible as it may be for a user to tell the difference between a fake and legitimate dialog window there are still things that iOS users can do to protect themselves.
  • If you get a popup asking for a password inside an app, hit the home button. If you can quit back to the home screen it's not a legitimate request. Real system dialogs that ask for passwords are run as a separate process and can't be quit in that fashion.
  • Treat password requests inside apps like you would a link in an email—don't use it. Instead, open the Settings app and put the password in there, similar to going directly to a website that wants you to verify your information.
  • Don't type anything into a password-requesting popup. Even if you press the cancel button the information has already been captured.

No comments:

Post a Comment