Each new iteration of the iPhone and iOS creates a huge amount of anticipation and brings with it the hope that modern-day life is about to become more convenient. At the same time, data privacy is an issue of increasing importance to end users. In order for internet services to make our lives easier, they need to have access to more of our personal data. But unfortunately there are bad actors out there exploiting new data-driven features, like iOS suggested contacts.
In iOS 9, Apple introduced its Suggested Contacts feature, which allows the sender name to be populated in texts, calls and emails, even in situations where the sender was previously unknown to the user. This was made possible through Apple’s access to personal messages.
Apple offers this feature to make contact management easier on iPhones, as a result, incoming phone calls and texts are preceded by “Maybe:”, and a note saying Siri has identified new contact information which an option to add that contact to the address book. So within a couple of clicks, the user has contact information saved.
Some of our customers were concerned about the feature and how it could potentially be used for nefarious purposes. Our investigation shows it can indeed be exploited.
How can the suggested contacts feature be exploited?
In our testing, we’ve been able to emulate an attack by assuming the role of the attacker who is trying to impersonate a bank. To be successful, the attacker needs to not only call the user and have the caller ID display a potential number, but also convince them to read off credentials over the phone or text the user a link to further gain their confidence. We’ve been able to cede the “Acme Financial” contact name successfully 100 percent of the time with our methods and have observed it working in two ways:
Firstly, the caller ID can be ceded using information contained in email signatures found in the native email app. Think about how dangerous this could become if one of the suggested contacts is the name of your CEO or the name of your bank.
For this to work successfully, there needs to be a two-way conversation. Here are the steps for our test:
- Hacker composes an email from a spoofed Acme Financial account with the hacker’s phone number embedded in the signature of the email. This email states “we have detected fraudulent activity on your account. Please reply to this email if you authorized the purchase of Intex Pure Spa 6 Person Inflatable Hot Tub for $7,345.36.
- User responds saying “No I did not authorize this.” Note that this is also successful with an out-of-office automated response.
- Hacker then calls (or texts) the user from the phone number embedded in the original phishing email. The Suggested Contacts feature then causes the phones to display “Maybe: Acme Financial.”
The other way the caller ID can be ceded is via a one-way conversation through texts sent via iMessage. For example, if a hacker sends a text from an unknown number saying something to the effect of “It’s Acme Financial” or “This is Acme Financial,” the Suggested Contacts feature will cause the name to appear as “Maybe: Acme Financial” in the text and also if the hacker then calls the phone.
What are the implications?
In the event the Suggested Contacts feature is successfully exploited by a hacker, there are a number of ways they can then obtain the victim’s sensitive information.
One way the above Acme Financial example can play out is if the hacker then calls the victim and asks them to confirm their account details, phone banking passwords, etc. This is known as “vishing” or voice phishing. Let’s imagine this happens to a salesperson named Jim who has a corporate mobile device, for example. This might be one of many Maybe: numbers that call him throughout the day making him less suspicious of such a call.
The other way is if the hacker then sends a text to the victim containing a phishing link. Since it looks like it comes from their bank, the victim is more likely to trust the link and click through to a convincing spoof login page for their bank and enter their login details which are funneled straight to the hacker. This delivery method is known as “smishing” of SMS phishing.
For these attacks to be carried out effectively the hacker would need to do a certain amount of background research to find out who the victim banks with. And this attack is not limited to banks, it could also be a CEO, a co-worker, an insurance company, a mobile carrier, a payment service, etc.
Phishing attacks using caller ID spoofing in the real world
A Reddit user recounted a scenario in which he was recently phished (or vished) by an attacker posing as Wells Fargo. He received a call on his Pixel 2 from a number identified as Wells Fargo; the hacker said they were calling about a fraudulent charge then asked him to read the codes sent to him via SMS to verify it was him. What he didn’t realize at the time was that the hacker was entering these authorization codes into the Wells Fargo website to reset his password and access his account. Once they had access, they said they were going to refund him the $1000 fraudulent charge, he just needed to read off one more authorization code sent via SMS. At that point the hacker hung up and taking_a_deuce realized he’d received a bunch of emails from Wells Fargo confirming he’d changed his password and forwarded $1000.
We spoke to this Reddit user and this is what he had to say:
“I thought I was aware of scams and vigilant in protecting myself, but a suggestion from my phone of a trusted caller opened me up to a phishing attack. It’s surprising how trusting I was after assuming I was called by a representative from my own bank.” – Reddit user
The scary thing about this example is it demonstrates how easily two-factor authentication can be hacked and again demonstrates how end user awareness is your first and best defence against the different types of phishing. But end users can’t be expected to live in paranoia that every trusted contact calling them is actually an attacker in order to carry out due diligence. It’s just not realistic.
How do you protect yourself?
Our research suggests the Suggested Contacts feature works in a number of ways. Firstly, we believe it scrapes the victim’s native email app for contact info when an unknown number calls or texts. We also believe it scrapes the content of incoming texts from unknown numbers for language that suggests someone is introducing themself.
We suggest the following steps to help manage the risk associated with the iOS Suggested Contacts feature:
- Go to Settings → Contacts → Siri & Search → Switch Search & Siri Suggestions to the OFF position
- Go to Settings → Contacts → Siri & Search → Switch Find Contacts in Other Apps to the OFF position
- Go to Settings → Messages → Switch Filter Unknown Senders, to ON position
- Do not give sensitive information to unknown callers or hang up and call back before giving any sensitive information over the phone
Jamf's zero-day phishing capability protects against an aspect of this threat by blocking traffic to phishing sites. But in order to be fully protected companies need to encourage their employees to be cautious when they receive correspondence asking for sensitive information.
Find out how Jamf Threat Defense can protect you from this type of malicious activity.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.