Privacy Perils: Phishing in the Ocean of Apps

Bass, Berry & Sims PLC

Bass, Berry & Sims PLC

News about phishing attacks implemented through email and websites is very common (see Déjà vu All Over Again; American Express – New Bait for an Old Phishing Lure; Beware of Text Scam, iPhone Users; Beware New Hacker Scheme Requesting Employee W-2 Information; and Dangers of Spear Phishing), but such attacks are not limited to those platforms. Any time you are asked to provide information over the internet, consider whether the request is legitimate. This includes being skeptical of requests for passwords within apps. 

Last week, a developer wrote about a phishing attack that uses a popup within an app that indistinguishably mimics Apple's frequent request for iCloud passwords. There have been no reports of this type of attack in the wild, but the developer notes it is relatively simple to implement.

The developer has provided some tips to protect against this type of attack:

  1. Hit the home button, and see if the app quits; if the app closes, it was a phishing attack. (Note: The tip is actually more complicated than that, discussing the "system dialog." Read the developer's post for the full explanation.)
  2. "Don't enter your credentials into a popup; instead, dismiss it, and open the Settings app manually."
  3. If you are not sure that the popup is valid, enter nothing because even "if you hit the Cancel button on a dialog, the app still gets access to the content of the password field," and "after entering the first characters, the app probably already has your password."

Although this discussion is iOS specific, the takeaway is not limited to Apple devices. Bad guys are creative, so be wary of any request to hand over your personal information. This should also serve as yet another (see Strong Passwords IV: The Phrase Awakens, Protecting Your Credit Card Online 3.0, and Additional Password Tips) reminder that using the same password across multiple accounts increases your vulnerability. A hacker can use the stolen password across multiple accounts to find ways to gain access to the desired information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bass, Berry & Sims PLC | Attorney Advertising

Written by:

Bass, Berry & Sims PLC

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.