iPhone users getting hooked by smishing attacks
iPhone users getting hooked by smishing attacks

UK iPhone users have been hit by a large scale SMS phishing (or smishing) campaign in a bid to lure victims into disclosing personal and financial data.

Victims have received text messages to tell them that their Apple ID has been blocked and that they should visit a website to verify details.

The link itself is a fake Apple ID website which prompts users to enter their Apple ID and password as well as credit card details, mother's maiden name and even passport number.

The scam isn't limited to English-speaking countries. There are also fake websites in other languages too.

In March, journalists from Radio 4 demonstrated how they could use a smishing attack to take over customer accounts at NatWest Bank.

Security expert Graham Cluley said that fraudsters are now trying new variations in attack methods in order to trick unsuspecting users. He said in one example, fraudsters have attempted to make their scam message appear more convincing by including instructions to unsubscribe from future alerts.

“Some smishing attacks, such as the following example sent via iMessage to an iPhone user based in Germany, use as bait a message claiming that a lost iPhone has been found,” he said.

The scam has even hit comedian Al Murray (pictured), who warned his followers on Twitter about the suspicious text messages he received.

Cluley said that users receiving such messages should report the URL to Google's Safe Browsing team and report the phone number to their mobile carrier.

Steve Manzuik, director of security research at Duo Security, told SCMagazineUK.com that there are a couple different reasons that an attacker would want to obtain an Apple ID.

“The first being that the Apple ID controls access to iCloud accounts, Apple device backups (photos, text messages, etc), iTunes/AppStore accounts, and potentially billing and credit card information. In addition, many users use the same email/password combination across multiple accounts meaning that one Apple ID has the potential to work across multiple websites,” he said.

Manzuik added that as Apple now provides two-factor authentication, users should enable and use it.

“In addition, users/organisations should follow basic security hygiene steps as follows: Firstly, use strong and unique passwords across every site, including Apple IDs. Consider implementing a password manager here to help and use two-factor authentication when available,” he said.

Andrew Blaich, security researcher at Lookout, told SC that the attack is a standard phishing one, “but the attack can also be pulled off against Android users to gain access to their Google Play accounts which includes all of the information and capabilities that an Apple ID does. Users need to exercise caution with links that are sent to them, no matter what type of device they are received on.”

“Don't click/tap links especially ones asking you to log into your account. Apple won't ask you for this information and scammer pages are looking more like the real things these day, so visit the page yourself by bookmarking a page to the real Apple ID account site. For example, the Pegasus spyware we uncovered earlier this year showed us the worst that can happen when tapping links on our devices from unknown contacts,” he added.