The Mail app can render HTML, but — like all email apps that display rich messages — it filters out some kinds of tags and content that are either irrelevant within an email message or could be used for nefarious purposes. Souek employs a commonly used tag that's put in the header portion of an HTML page or template to redirect a user to another page, either instantly on load or after a defined delay. That's what you see when a page says, "This resource has been moved" or other jazz, and "please wait X seconds."
Mail fails to filter out the refresh request, which allows the malicious HTML email to load a page that has the full panoply of HTML available. Email clients that aren't vulnerable, which include webmail and native ones, won't process the reload. Those that do will load what looks precisely like a modal iCloud login dialog prefilled with the email address to which the phishing message was sent.
While Mail will parse and allow forms within messages, making this phishing attack possible without a reload, having the email message load and then an overlay appear with an ostensible popup dialog has more of a feeling of plausibility. We're used to seeing that behavior.
To exploit this combination of factors, you have to view a message that employs this technique. With iCloud's spam filtering, which would likely quickly key into common factors (like the header tag information), few might get through.
Read the signs
An observant user would notice the following should such a message appear:
- The message appears only in the email portion of the Mail app.
- Scrolling the email scrolls the dialog.
- The keyboard doesn't automatically appear, even though the focus (where the cursor is positioned) moves to the form password field.
- When you tap the field and the keyboard then appears, the word Go appears for submission, like a form.
- Pressing Home dismisses the dialog, which isn't the case with a true login message.
Dear Reader, you might smile to yourself and think, "I would never be fooled by this." But then I would ask you to look in your wallet or purse and find the playing card I have placed within it! Is the eight of clubs? While you were looking, I replaced your regular security with Folger's Instant Security.
My nonsense is just to say that we, even smug little me, think that we are too sophisticated to be phished in such a way, and then I try to recall the last time I saw an iCloud login dialog — and did I simply fill it in without looking for signs of fraud? (I have two-step verification enabled, so it's for naught to phish me for most purposes; most iCloud users do not.)
Sign up for CIO Asia eNewsletters.