iPhone and iPad users are being warned about a new scam targeting iOS devices that can be used to steal login details and potentially credit card information.
The scam involves malicious apps that can be used to trigger fake Apple ID login prompts, which look exactly like the real thing.
Credit: Paul Hudson (Creative Commons)
Advert
The bogus login boxes usually appear when users try to install or update an app, asking for login details to be entered before they can continue.
If the user enters their password, the attacker could use them to access their account, find their payment information and steal their credit card details.
Felix Krause, an app developer based in Vienna, Austria posted a video to his blog on Tuesday, demonstrating just how easy it is for attackers to create fake Apple login pop-ups and use them to phish customers' details.
Credit: PA
Advert
"Users are trained to just enter their Apple ID password whenever iOS prompts you to do so," Mr Krause wrote in his post.
"However, those pop-ups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app."
Hackers who use this technique could use the information supplied by unwitting Apple customers to steal credit card details and make fraudulent purchases.
Credit: PA
Advert
Mr Krause also used his post to arm users with the knowledge to protect themselves from such attacks.
He wrote: "Hit the home button, and see if the app quits:
"If it closes the app, and with it the dialog, then this was a phishing attack.
Advert
"If the dialog and the app are still visible, then it's a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
"Don't enter your credentials into a pop-up, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually.
"If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password."
To summarise, the best way to get around the scam is by never entering your login details directly into a pop-up, and instead opening up the iPhone's settings to enter them directly.
Featured Image Credit: Hamza Butt (Creative Commons)Topics: iPhone