News about phishing attacks implemented through email and websites is very common (see Déjà vu All Over Again; American Express – New Bait for an Old Phishing Lure; Beware of Text Scam, iPhone Users; Beware New Hacker Scheme Requesting Employee W-2 Information; and Dangers of Spear Phishing), but such attacks are not limited to those platforms. Any time you are asked to provide information over the internet, consider whether the request is legitimate. This includes being skeptical of requests for passwords within apps.
Last week, a developer wrote about a phishing attack that uses a popup within an app that indistinguishably mimics Apple's frequent request for iCloud passwords. There have been no reports of this type of attack in the wild, but the developer notes it is relatively simple to implement.
The developer has provided some tips to protect against this type of attack:
Hit the home button, and see if the app quits; if the app closes, it was a phishing attack. (Note: The tip is actually more complicated than that, discussing the "system dialog." Read the developer's post for the full explanation.)
"Don't enter your credentials into a popup; instead, dismiss it, and open the Settings app manually."
If you are not sure that the popup is valid, enter nothing because even "if you hit the Cancel button on a dialog, the app still gets access to the content of the password field," and "after entering the first characters, the app probably already has your password."
Although this discussion is iOS specific, the takeaway is not limited to Apple devices. Bad guys are creative, so be wary of any request to hand over your personal information. This should also serve as yet another (see Strong Passwords IV: The Phrase Awakens, Protecting Your Credit Card Online 3.0, and Additional Password Tips) reminder that using the same password across multiple accounts increases your vulnerability. A hacker can use the stolen password across multiple accounts to find ways to gain access to the desired information.