New Apple password scam warning

Fraudsters have developed a way to trick Apple users into handing over their iTunes password using phishing popups hidden in apps.

With regular IOS system and app updates, it’s not unusual for an iPhone or iPad user to be asked for their Apple ID password.

But Felix Krause, a software expert, has uncovered how scammers are exploiting our habit of entering this sensitive information without pausing to consider why.

Can you spot the fake popup?

Krause explains in his blog that scammers use a mobile phishing attack that imitates the popup familiar to all Apple users.

The fake password request that appears in apps looks almost identical to the genuine popups iPhone and iPad users get from time to time.

Krause was able to recreate a fake popup in an app. Can you tell the difference?

Apple ID fake popup with email (Image: Felix Krause)

Worryingly, some authentication popups don’t always require an email address, making it even easier for scammers to get your password.

Apple ID popup no email (Image: Felix Krause)

Dangerous habits

As users are in the habit of entering their password whenever they see this prompt, scammers are easily stealing confidential information just by asking. 

Once scammers have your password it gives them the key to unlocking other accounts that may use it.

Krause said: "Users are trained to just enter their Apple ID password whenever iOS prompts you to do so.

"This could easily be abused by any app. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks."

Easy scam opportunity

Krause didn't disclose the technicalities of how the scam is able to operate in apps but wants to draw attention to the loophole and potential for a rise in mobile app phishing.

He warns that it’s worryingly easy to recreate.

“Showing a dialogue that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

“I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code,” he said.

Three ways to keep safe

Krause has three tips for Apple users worried about falling victim to this scam.

Hit the home button – each time you get a  pop-up press the home button to see if the app quits. If the app and the pop-up disappear at the same time, it’s a phishing attack. If the app and the pop-up remain, Krause says it’s a genuine request.

Enter your password manually –instead of always entering your details the moment you see a popup get into the habit of dismissing the request and open the Settings app to do it manually.

Clear before cancelling – Krause says even if you hit cancel, a scam pop-up will be able to see the details you’ve typed in, so make sure all fields are blank before cancelling.

Get alerted to other scams by signing up to the free email newsletter