Investigators security Ernst & Young together with Jan Soucek who discovered the vulnerability, developed a tool capable of producing iCloud password phishing emails by exploiting an unpatched bug that affects millions users Apple.
Researchers developed the iOS 8.3 Mail.app inject kit that exploits to an Apple email error. It essentially creates a realistic pop-up that looks exactly the same as Apple.
Soucek (jansoucek) reports that Cupertino did not respond when he tried to inform them about the bug in January.
“This bug allows remote content HTML να φορτωθεί, αντικαθιστώντας το περιεχόμενο του αρχικού μηνύματος ηλεκτρονικού ταχυδρομείου. Το JavaScript είναι απενεργοποιημένο σε αυτό το UIWebView, αλλά εξακολουθεί να είναι δυνατή η ανάπτυξη μιας σελίδας που συλλέγει passwords με τη χρήση απλών HTML και CSS.”
Phishers using the free tool developed by researchers can successfully run phishing campaigns by collecting credentials. Their victims will only see a pop-up in iOS Mail.
Soucek ensures with its tool that http-equiv targets only victims that allow the installation of cookies in their iDevices.
The researcher reports that it is the best phishing tool from the usual pages that come in an e-mail message because it only targets the users that the app allows them to make the changes that need to be made.
Publishing the tool should not be considered malicious, White hat security researchers often publish sophisticated phishing tools for professionals who use them in companies, for staff training in social engineering.