A smart smishing (SMS phishing) campaign is targeting iMessage users, employing a method to bypass Apple’s built-in phishing protection. Cybercriminals are using deceptive tactics to socially engineer users into re-enabling disabled phishing links, thereby putting them at risk.
Phishing continues to pose a serious risk in cyberspace. Unfortunately, these attacks are becoming more complex and challenging to identify due to the development of artificial intelligence.
Attackers are bypassing Apple’s protections using social engineering techniques in this particular campaign, compromising iMessage users.
This campaign exploits a flaw in Apple iMessage’s link-disabling function, in contrast to previous attacks that relied on more complex techniques. iMessage automatically restricts links in messages from unknown senders to protect users. However, if a user replies to that message or adds the sender to their contact list, the links will be enabled.
A Simple Bypass, a Serious Threat
Scammers exploit iMessage by sending fake alerts, such as delivery updates, to bypass Apple’s link limitations. These frauds frequently focus on getting users to respond with “Y” or “N” to confirm delivery or other similar requests.
Responses from users open links that iMessage has previously restricted, exposing devices to harmful material. To trick individuals, scammers often use deceptive tactics like fake UPS notifications or unpaid toll warnings.
The scammer further tricks users by asking them to reopen the message to access the now-enabled link, increasing the possibility that they would click on the malicious content.
Many users unintentionally allow malicious websites while responding to appointment-related iMessages. This straightforward activity might have adverse effects. By clicking the link, iPhone users run the risk of accidentally allowing attackers access to their sensitive data.
Chrome users have been targeted of similar approaches, which suggest them to reply with “1” and reopen the SMS to engage with a malicious browser link.
Smishing attacks exploit these methods to steal credit card numbers, passwords, and personal information. Responding to these messages verifies your active phone number, increasing the risk of future phishing attempts or spam campaigns.
Jake Moore, Global Cybersecurity Advisor at ESET, describes the new iPhone phishing trick as “a simple security bypass.” To protect yourself from such attacks, it’s important to stay cautious.
Avoid replying to messages from unknown contacts, as this can disable iMessage’s built-in protection and make you vulnerable to phishing attempts.
Always confirm the validity of any message before responding, whether it comes from iMessage or another platform, particularly if it asks for sensitive data.
Avoid clicking on embedded links, click directly to the official website or app if you think an email or text message could be fake. Apple offers robust safeguards against phishing, but they are not perfect.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.