Watch Out For Fake iOS Login Popups That Trick You Into Giving Away Your Apple ID

When the popup appears on an iOS device, prompting a user to enter their iTunes password, users simply enter the details because that's what they are supposed to do.

However, this feature can be abused by scammers looking to phish your credentials.

Because it is quite easy to create a fake login popup that looks exactly like the ones used by Apple, according to Apple iOS code researcher, Felix Krause.

Felix published a proof-of-concept on his blog recently that demonstrated just how simple it is to create a fake Apple ID login popup and steal peoples’ personal details.

And to answer the question we asked above, the one on the right-hand side is fake.

If you input your password into one of the fake boxes, the attacker could steal it and use it to access your credit card information.

If you think it's hard to do so, think again.

Malicious developers can turn on alerts inside their apps that look like Apple's popups using a simple code, warned Felix, adding that even users who are technologically advanced have a hard time detecting that those alerts are phishing attacks.

"Showing a fake login box that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text," the Austria-based Apple iOS code researcher wrote on his blog.

Felix has outlined the following steps:

• Hit the home button, and see if the app quits:
  
• If it closes the app, and with it the login box, then this was a phishing attack.
• If the login box and the app are still visible, then it's a system popup. The reason for that is that the system popups run on a different process, and not as part of any iOS app.
• Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept like you should never click on links on emails, but instead open the website manually.
• If you hit the Cancel button on a popup, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.