“True story: every time we run a post warning people of a new iMessage phishing scam that pops up, we get a bunch of feedback from readers via email.,” Zach Epstein reports for BGR. “Some people thank us for the heads up, but others email to complain that these phishing scams are so obvious and no one actually falls for them so warnings are a waste of time. That notion is of course preposterous, and unsuspecting users fall victim to these scams all the time. That’s why these scams still exist, obviously.”
“Well, last time we covered one of these scams, we received a bunch of obligatory complaint emails like we always do. But then, just over a week later, one of the people who emailed us sent a follow-up. After telling us that we’re wasting our time with these warnings, his own wife fell victim to the very scam we warned people about. She lost access to her Apple ID account and had personal data stolen as a result,” Epstein reports. “Long story short, please take these warnings seriously and be sure to pass them on to all of your less savvy friends and family.”
“With that out of the way, it’s time to bring a fresh new iMessage scam to your attention,” Epstein reports. “Like other phishing scams that have come before it, this one looks to steal Apple ID login credentials from unwitting iPhone users. ‘Your AppleID is due to expire today,’ the incoming text message reads. ‘Tap [URL removed] to update and prevent loss of services and Apps.'”
Read more, and see the screenshot, in the full article here.
MacDailyNews Take: Warn those friends and family members – those who wouldn’t recognize that there should be a space between “Apple” and “ID,” that the URL is not an Apple domain, etc. – who you think might be susceptible to such a scam!
Fishing scams work because they are sent to millions of people at minimal cost. Only a few are needed to respond to make it worth their time. There are plenty who don’t understand the risks so this type of education is important.
Like any message like that, if you are concerned that it could be real the key is to go to the original vendor website and login from there.
I do the same with third party software that pop up update availability. You never know if someone is spoofing that.
Even if someone has your Apple ID and password, how do they get into your account if they don’t know your challenge questions or are in possession of one of your trusted devices for a 2-factor authentication access code?
They might also rely on the user not having implemented 2-factor authentication.
Xennex1170 – if the user has not implemented 2-factor authentication, then there would be challenge questions. That’s specifically why I mentioned that as an alternative in my original question. Apple won’t let you create an Apple ID without either creating challenge questions or 2-factor identification. With challenge questions, the user would need to know answers to such questions such as “what was the name of your first pet?”, “what was the name of your favorite school teacher?”, etc. So, I still don’t know how someone would be able to break into a user’s Apple ID account without knowing the answers to challenge questions in the event that 2-factor identification had not been set up.
I did not disregard the challenge questions. Simply the challenge questions in most cases are much easier to guess or obtain since this is a phishing attack. It is possible the attacker has other resources to determine the answers. The best way to counter with challenge questions is to use answers that make no sense as replies. For example “Q:What is your favorite food? A:Pontiac”
Related to this is what seems to be Apples own scam. We have Apple everythin……iMacs, ipads, iPhones, ATV”s,AirPods, you name it.
But something frightens me lately. I have had to re-sign in on all my devices recently. During the sign in process Apple now requires not just your “AppleID” and “Password” and “a code from a second authenticating device”, BUT NOW also the “unlocking passcode” of your mobile device. This is new and this passcode go right to Apple servers. Why do they require the passcode for your device? What then is the point of a so called “secure enclave”. The protection of the secure enclave can be usurped by the 6 digit code. So what’s the point of data in the secure enclave not leaving your device if the data that overrides the secure enclave is held at Apple?
What is going on? all my devices feels really unsecure to me now. Am I overlooking anything here?
Agreed about multi-sign ins. Apple’s security has morphed into a rather gangly and unkempt mess. Security has been and still is the one feature that alone is the reason to be a customer, but some characteristics aren’t inspiring confidence. Security and privacy…lead here and Apple will always lead. Get rid of the notch, show us the “cracked” TV and release a desktop beast too, please.
Apple is becoming the Microsoft of a decade ago.
Sure seems like it some days.
No it doesn’t. Really…it doesn’t, DavGreg.
Are you sure the passcode goes to apples servers? Do you mean the 2-factor code? (Very different)
A
Also, watch out for the phishing attacks on MDN’s ads 🙂
Anyone who thinks that warning people about these scams is a waste of time, doesn’t work with the public. I get someone falling for scams once a week. Luckily it’s mostly Windows targeted stuff, but still, they fall for it. That usually realize it minutes later.
“To err is human.”
I’m no genius. I just happen to work with computer security.
But there really are those lamentable people who have no computer savvy and never will. One of them was my Father. (o_0) In the field, there are insulting names for such people. The one I learned was LUSER. The user who can’t help but attract and fall for malware, phishing, password dictionary attacks, ad nauseam. They ARE real. They ARE dangerous to themselves and others. They DO send money to dethroned princes in Nigeria. They ARE the target 🎯 of computer attacks such as this one. System Admins beware! Just remember to be kind. We all have our blind spots.
I think I may have fallen for one just yesterday, ostensibly Delta Airlines asking for feedback on my recent flight. Didn’t even think of checking the URL until too late
Apple still has problems with their own two factor authentication. This is after YEARS of trying to get it right.
Example: Last week, Apple wanted me to authorize using my MBP. It may have bee due to my dumping all my system cache. So, as part of the authorization, it wanted me to type in the authorization code sent to my trusted devices. As usual, breaking from secure protocols, they sent a code to my MBP! It’s an idiotic blunder, but has been standard practice for Apple. *groan* So I used the code sent and it DIDN’T WORK! Fascinating. Then an entirely different code arrives on my iPhone. Fascinating. THAT code worked.
IOW: We’re still living in The Dark Age Of Computing and Apple isn’t immune.
Hey Jonathan Zdziarski!!! What’s Apple having you do over there? You know better than this blundering in computer security! Kick some back orifice over there and Make Apple Get It Right!