Mobile Apps Are the New Phishing Grounds

Hackers have a new phishing tool at their disposal: your mobile device. One security researcher has already published a report on how shockingly easy it is to steal your username and password right from your Apple ID on your iPhone or iPad. Sadly, the hackers didn’t have to do anything except trick you into handing it over.

Phishing attempts have been around for years, even though they’ve evolved over time as better awareness and stronger security tools have fought back. Now, Felix Krause has uncovered a phishing attempt that strikes Apple device owners by mimicking—quite well, actually—the iTunes sign-in screen that so many of us are used to seeing.

The legitimate sign-in screen appears when we attempt to do something sensitive, like purchase an app or download some content. It can also happen if we try to install an update, use the location settings, find a missing connected device, and more. Krause discovered that it takes just thirty lines of code to replicate the sign-in screen, which means hackers can insert this code into apps and use it to steal your password.

Apple has one of the “safest” app stores on the market due to its very strict controls over what app developers can list. The review process for apps is also pretty rigorous, but Krause pointed out that this code can be inserted in an app with a time delay, meaning it won’t start appearing until weeks after it is listed in the app store, giving it time to avoid detection from Apple engineers.

The critical issue is it’s almost impossible for a casual iOS user to tell the difference between the real thing and this phishing attempt, mostly because the lines of code were initially written by Apple. The company used the lines of code as an example in a document for app developers, so it’s out there for others to use.

Fortunately, there’s a workaround, and it’s one that tech users have already been made aware of. If you get an email from your bank, for example, telling you to click the link to resolve some problem with your account, the industry best practice says DON’T. You’re to exit out of the email, go to your legitimate banking website yourself, sign in, and see if the problem is even real.

That is the same advice Krause offers to fight back against this threat. If a pop-up box appears on your device and asks you to sign in, DON’T. Just hit the Home button, go to your Settings, and re-enter your login credentials. When you return to the activity you were trying to do when the pop-up appeared; you’ll already be signed in.

Remember, once hackers have your username and password, there’s an excellent chance that this same combination works on many of your other accounts. That’s why you should use strong, unique passwords on your accounts in order to keep someone from capturing one login and using it in other places.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.