iOS Beware! Felix Krause Raises Concern over Phishing Attacks On Apple Products
Felix Krause, founder of Fastlane.tools recently in his blogpost revealed a new method for phishing Apple ID passwords on iOS. The malware is almost indistinguishable from a real iOS password request.
According to Krause, the goal of actually posting this method on his blog was to close the loophole that’s been around many years, yet it hasn’t been addressed. In his blog, he not only identifies the method for phishing Apple ID passwords, but also avoiding and recognizing such attacks.
However, not many see this particular phish as a huge risk, as iOS apps can only be downloaded through the App Store. But it would be wrong to say that it is impossible to get a phishing app into the App Store. The process of doing so can be long and complicated for iOS. However, if we look at cases where the App Store screening process wouldn’t come into play such as macOS instead of iOS. As unlike on iOS, Mac users can download apps from anywhere, and frequently do so. It is also one of the main reasons why Mac users usually get infected with viruses and such.
For example in a blog by Malwarebytes, the author gives you the situation where you’re using your Mac, and suddenly the Mail app opens and shows a password request because of a failure with your iCloud account. According to him a Mac expert may recognize the fake pop up but many will actually enter teir iCloud password.
Since users have become so accustomed to password requests, they just blindly enter them whenever they are asked, especially Mac users. As Mac doesn’t get malware, correct? This is true, as there have been very few number of malware related incidents. This in turn makes it easier for the hackers. As users, we’ve become inured to these requests, not treating them with the suspicion that they deserve.
So overall, it is basically good to be cautious even if you’re a Mac user. One of the ways to know whether password request is legitimate or not is by knowingly entering an incorrect password, as the phishing malware or websites can’t know what your password is until you enter it, so they can’t know you entered the wrong password intentionally, and will simply accept what you typed. If, on the other hand, the bad password is rejected, it’s likely that the password request is legitimate.
So it is always better to be cautious when it comes to typing in passwords to avoid any and all phishing attempts on your system.