Jesus Phone vuln delivers fanboys to phishermen

Apple silent on 'pretty dumb design flaw'


A security expert is advising iPhone users to steer clear of the device's default email application until engineers rework what he calls "a pretty dumb design flaw" that could expose users' email addresses to spammers and other online frauds.

The warning comes two and months after researcher Aviv Raff first reported two email-related vulnerabilities in the iPhone to Apple's security department. Apple has updated the gadget three times since then, but has yet to fix either weakness. Late last week, after Apple refused to say when the patches might be delivered, Raff decided to publicly disclose the technical details.

The first defect resides in Apple's Mail application. Unlike most email clients, the program automatically downloads images embedded in HTML mail messages. That can be a problem for people who want to fly under the radar of spammers because the downloading of so-called beacon images embedded in spam and phishing messages are one technique scammers use to sort live email accounts from inactive ones.

"The iPhone's Mail application downloads all images automatically, and there is NO WAY to disable this feature!" Raff writes in this blog item. "So, my only suggestion is to avoid using the Mail application until a fix is available."

Raff disclosed details of a separate iPhone flaw that puts users at risk of visiting websites secretly under the control of miscreants. The flaw, which resides in Mail and the iPhone version of the Safari browser, truncates the names of long internet addresses, making it them appear to be friendly when in fact they are not.

Image of iPhone showing truncated address

In the screenshot above, for example, the link appears to point to https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963 when in fact, it points to a site controlled by Raff. When a user clicks on the link, Safari opens and the address bar shows only https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963, further making it hard for users to know they've been led astray.

"The problem here is that an attacker can set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it's a trusted domain," Raff wrote.

Apple representatives didn't respond to an email requesting comment for this story. ®

Broader topics


Other stories you might like

  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • Tim Hortons collected location data constantly, without consent, report finds
    Hortons hears a sue

    From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation.

    In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada and the privacy commissioners from three provinces – Alberta, British Columbia, and Quebec – presented the results of an inquiry that began shortly after the publication of a June 2020 National Post article.

    That article revealed the Tim Hortons app tracked location data every few minutes even when relegated to the background, and the report compiled by Canadian privacy officials confirmed as much.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022