Phishing for Apple ID passwords on iOS

It has recently been discovered that legitimate dialogue boxes that prompt the user for their password to log into their Apple ID can be easily replicated with frightening similarity. Felix Kraus, an iOS developer for Fastlane.Tools posted the proof of concept on his blog in an effort to get this “loophole which has been around for many years” closed. The fake boxes are nearly identical to the legitimate ones.

apple-id-phishing-attack

As you can see, they are nearly indistinguishable from one another. Unless you’re looking for it, you would never be able to distinguish between the two. Even if you were thinking it might be a phishing attack, it would be nearly impossible to determine with certainty whether it was legitimate or not. This particular box type has the user email associated with the Apple account in it, but there is also a version without the email address.

apple-id-phishing-attacks

Again, if you weren’t expecting this to be a phishing attack, you would probably not think twice before inputting your password.

The boxes are created, quite easily, through the Apple Developer tool UIAlertController. The exact methods for creating these boxes were not disclosed by Krause for security purposes, but a quick look at the UIAlertController on Apple’s developer page shows that creating the box is as easy as following a template.

 

Thankfully, Krause also offered several tips to avoid being phished in this manner:

If you press the home button and the app and dialogue boxes both close, then it was a phishing attack. If the app and dialogue are still up then it is legitimate. This is because system dialogues are handled with a different protocol than app dialogues.

Don’t even begin to enter your credentials into a popup. Even if you don’t submit the form, they probably have recorded your inputs. Go into the settings app and enter them there.

 

If the user has 2 factor authentication enabled they’ll be safer from phishing attacks of this nature. That said, if the app also asks for the 2 Factor Authentication token and the user puts it in, then they’ve nullified the whole process.

As always, be careful when you’re putting in your credentials. You never know where phishing attacks will come from next.

 

– Daniel Szafran

 

Felix Kraus blog: https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

Source Article: https://thehackernews.com/2017/10/apple-id-password-hacking.html

Apple Developer UIAlertController:  https://developer.apple.com/documentation/uikit/uialertcontroller

Advertisements

The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm

Sources

Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016

Using the FCC.gov Site as File Storage

The article title of my source is “The FCC.gov Website Lets You Upload Malware Using Its Own Public API Key.” This sounds far-fetched, but it really isn’t. Basically what happened is that the FCC has an API for uploading files to its domain that one does not have to accept a TOS or EULA in order to use – you can simply request an API key.

Along with the API Key, there is also public FCC API documentation that one can use if you’re not quite technically savvy enough to figure it out without an API (that is to say, you’re not getting lucky – trying to do this without documentation is probably shooting blind). The author says that “…so far they have managed [to upload] pdf/gif/ELF/exe/mp4 files up to 25MB in size.”

So what all this boils down to is that the FCC has a publically accessible API for uploading documents to its website that you do not have to agree to a TOS for (meaning that you can’t violate any TOS by using it), and it can act as file storage for most file types up to 25MB, even allowing MP4 video playback within the site. This is interesting – people could have split up files into smaller zipped chunks, which wouldn’t give you anything comprehensible if you just opened one of the .zips, and then distributed the for all parts to other people (NOTE: I do not know if .zip is an acceptable upload file, but even if it isn’t, you can do the same thing with a pdf, it’s just a little more complex).

This file storage could be simple jokes (like the contact the author of the OP had), or people could have been storing illegal files on a government website (which, using the technique I described earlier, would not look like much unless all files were found). The big concern that the author has is people using this as a redirect or to host malware. Phishing would be much easier on someone technically savvy if the .exe a “government official email” says they need to download and run is hosted on the FCC.gov website.

Note: It’s possible that in the time of me writing this post and it being read in class that all files were taken down now that the vulnerability is known.

By: Connor Shade

Source

Apple Zero-days Mark a New Era of Mobile Hacking

blog_post_image_08_29_2016

Apple’s head of security engineering and architecture, Ivan Krstic, announced that apple is ready to open up its vulnerability reporting process to researchers. They are launching a bug bounty program that offers rewards for zero-day vulnerabilities that allow vicious code exploits.

This idea came about after an incident involving an activist in the United Arab Emirates, Ahmed Mansoor, where three zero-days were discovered with the ability to spy on his messaging and calls. This incident caused Apple to realize that hackers had shifted their focus from desktops/laptops to mobile phones.

The iOS exploit used to target Mansoor was a three pronged approach that started as a very believable phishing attack that when clicked downloaded two kernel exploits to the device. Now that the malware has been exposed, Citizen’s Labs has discovered that the exploit was the work of an Israel based surveillance software developer group, NSO. Lookout estimates that the exploit has been available for purchase for approximately two years.

Now that the NSO group has been made public and the zero-days have been patched there are now ways to scan if your devices have been compromised and Apple is pushing harder than ever before to find its vulnerabilities.

-Hannah Gallucci

Apple zero-days mark a new era of mobile hacking

200,000 Comcast Customers Hacked

comcast-voip_logo_2798

 

 

Comcast recently announced that 200,000 customers will have to change their passwords. They found out that 590,000 Comcast accounts are being sold online for $1000, but they say that only 200,000 accounts are active. Comcast denies they were hacked and said that their users probably downloaded viruses or they were phished and there accounts were obtained that way.

“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted, but the vast majority of information out there was invalid,” a company spokesperson said, according to the Washington Post.

The chief technology officer for Intel Security says that data breaches have been so common lately that it’s not surprising to so much customer information for sale. They regularly monitor the dark web and see information like this for sale all the time.

Sam Chelini

article: http://time.com/4105920/comcast-customer-information/