iPhone Users Tricked into Disabling Apple iMessage’s Phishing Protection

Threat actors target iPhone users with malicious messages to trick them into turning off Apple iMessage’s phishing protection.

iPhone users face new phishing campaign

Phishing attacks are still a significant threat in the cybersecurity landscape. Unfortunately, the growing trend of automating everything with artificial intelligence has only helped these malicious attempts get more clever and harder to distinguish.

Messaging platforms like Apple iMessage enforce various protection mechanisms, such as disabling links in messages sent by unknown senders by default.

However, a new malicious campaign sees threat actors send specially crafted messages to iPhone users, tricking them into unknowingly disabling the feature.

Interacting with the message or sender could spell disaster

The risks associated with the recent campaign stem from its simplicity. Unlike other attacks, perpetrators don’t use zero-day exploits or intricate bypass mechanisms; instead, they exploit a loophole in Apple iMessage’s design to circumvent the link-disabling feature.

Simply replying to such a malicious message or adding the sender to the contact list is enough to enable potentially malicious links received via Apple iMessage.

Same old lures used in new phishing campaign

Threat actors use well-known lures, such as fake UPS messages or unpaid road toll texts, as the cornerstones of their scam. However, these messages also prompt users to give a short “confirmation” by replying “Y” to the sender.

Subsequently, they instruct recipients to close the text message and open it again to activate the link. Users are then encouraged to open the malicious links once they become visible on their devices.

Attacks surged over last year’s summer

As BleepingComputer reports, threat actors have been spotted using this tactic over the past year, especially since the summer, when the attack surged.

Much like with email messages, users are frequently bombarded with spam or unrequested SMS texts. However, while email communications typically allow you to opt out by clicking an “Unsubscribe” button, with SMS texts, the same could usually be achieved by replying “NO,” “STOP,” or other similar keywords to the sender.

Scammers now capitalize on this situation, since asking users to reply to a message is seemingly benign. However, even the simple action of responding to such a text without necessarily interacting with the now-enabled link may paint a target on one’s back, as threat actors might consider following up with more creative phishing attempts.

Keeping scams, phishing attacks, and other threats at bay

Specialized software like Bitdefender’s Scamio can help you easily identify and prevent scams from harming you. It uses AI technology to check the legitimacy of text messages, emails, links, images, QR codes and even described scenarios.

Scamio is free and available on Facebook Messenger, WhatsApp, Discord and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia and the UK.

If you need a more comprehensive security solution, Bitdefender Mobile Security for iOS has an advanced phishing protection module alongside other relevant features, including continuous safeguarding against digital threats, personal data protection, and a built-in VPN.