Apple SMS phishing and the iCloudTue, Jul 22, 2014 by Andrew Conway
- Just last night, I upgraded my Mac Air to the latest release of OSX. The upgrade did not go as smoothly as most. When rebooting, my computer hung for a couple of hours with the screen saying
- . When I finally got bored with this and held down the power key for a hard reboot it came up OK, but then prompted me for my AppleId password. I had forgotten this, of course. It’s in an encrypted spreadsheet on my computer that I’m trying to log in to, with all my other hard-to-remember-passwords. Happily there was a
Bypass this step
- button which I clicked, and I was informed that I could store my keychain in the iCloud later.
The keychain is a file that contains private keys and passwords and credit card data, and Apple was planning to put that out on their servers, and share it across all my Apple devices. Hey, Apple, I don’t want my keychain exposed on a server that I have no control over, “industry standard encryption” or not.
Apple does have another layer of security for the iCloud keychain. It is only available to “approved devices”. To give a new device access to the keychain, one of the existing approved devices has to OK it. But what happens if one of those devices gets stolen?
Recently we have seen an interesting SMS phishing attack attempting to collect AppleId credentials.
Hello, My name is Stacy Hartman(Employee ID#414712) I work at the Apple Store. Someone has turned in a iPhone and we need to verify ownership of the iPhone. Once verification is complete, the iPhone will be shipped to the mailing address on the account. Feel free to verify ownership of the iPhone. Thanks [Link redacted]
The landing page looks like an Apple login page but actually is hosted at another site which isn’t controlled by Apple: :
This has been a very low volume attack. But suppose it’s a very low volume and highly targeted? Suppose it is aimed at users whose iPhones have been recently stolen and are in possession of the criminals? The criminals could find the number of the stolen phone, wait a few days until the victim gets a new one, then send them the phishing message. The user is so excited to hear their old phone has been turned in they are not on the look out for possible fraud, and they enter their credentials at the phishing page. The criminal now has access to your AppleId account, and an approved device, so they can access your keychain…
But no, I’m being too paranoid here. The call to action url does not vary enough from message to message, so there would be no way for the criminals to track which set of credentials go with which device. Earlier versions of this attack, with the same message but a different landing page, attempted to get the user to install a Mac adware Trojan. It looks as if the criminals have just come up with what they think is an effective pitch and experimenting with different ways of monetizing it.
Still, years in computer security have taught me that you can’t really be too paranoid. If you use Apple products I would recommend:
- Turn on dual factor authentication on your AppleId
- Make sure you use a security code on your iPhone
- Don’t put anything on iCloud you don’t mind sharing with Apple’s sysadmins and the NSA
- If your iPhone or iPad is missing or stolen, treat any messages about its return with extra suspicion