Cyber Saturday—Apple iPhone Phishing Trick, Zscaler as Best Tech IPO, Facebook Fails
Good morning, Cyber Saturday readers.
A month ago I was milling about a hotel room in New Orleans, procrastinating my prep for on-stage sessions at a tech conference, when I received a startling iMessage. “It’s Alan Murray,” the note said, referring to my boss’ boss’ boss.
Not in the habit of having Mr. Murray text my phone, I sat up straighter. “Please post your latest story here,” he wrote, including a link to a site purporting to be related to Microsoft 365, replete with Microsoft’s official corporate logo and everything. In the header of the iMessage thread, Apple’s virtual assistant Siri offered a suggestion: “Maybe: Alan Murray.”
The sight made me stagger, if momentarily. Then I remembered: A week or so earlier I had granted a cybersecurity startup, Wandera, permission to demonstrate a phishing attack on me. They called it, “Call Me Maybe.”
Alan Murray had not messaged me. The culprit was James Mack, a wily sales engineer at Wandera. When Mack rang me from a phone number that Siri presented as “Maybe: Bob Marley,” all doubt subsided. Jig, up.
There are two ways to pull off this social engineering trick, Mack told me. The first involves an attacker sending someone a spoofed email from a fake or impersonated account, like “Acme Financial.” This note must include a phone number; say, in the signature of the email. If the target responds—even with an automatic, out-of-office reply—then that contact should appear as “Maybe: Acme Financial” whenever the fraudster texts or calls.
The subterfuge is even simpler via text messaging. If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone’s suggested contacts feature should show the entity as “Maybe: [Whoever].” Attackers can use this disguise to their advantage when phishing for sensitive information. The next step: either call a target to supposedly “confirm account details,” or send along a phishing link. If a victim takes the bait, the swindler is in.
The tactic apparently does not work with certain phrases, like “bank” or “credit union.” However, other terms, like “Wells Fargo,” “Acme Financial,” the names of various dead celebrities—or my topmost boss—have worked in Wandera’s tests, Mack said. Wandera reported the problem as a security issue to Apple on April 25th. Apple sent a preliminary response a week later, and a few days after that said it did not consider the issue to be a “security vulnerability,” and that it had reclassified the bug as a software issue “to help get it resolved.”
What’s alarming about the ploy is how little effort it takes to pull off. “We didn’t do anything crazy here like jailbreak a phone or a Hollywood style attack—we’re not hacking into cell towers,” said Dan Cuddeford, Wandera’s director of engineering. “But it’s something that your layman hacker or social engineer might be able to do.”
To Cuddeford, the research exposes two bigger issues. The first is that Apple doesn’t reveal enough about how its software works. “This is a huge black box system,” he said. “Unless you work for Apple, no one knows how or why Siri does what it does.”
The second concern is more philosophical. “We’re not Elon Musk saying AI is about to take over the world, but it’s one example of how AI itself is not being evil, but can be abused by someone with malicious intent,” Cuddeford said. As we continue to let machines guide our lives, we should be sure we’re aware how they’re making decisions.
Have a great weekend—and watch out for imposters.
Maybe: Robert Hackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Facebook’s flops. Facebook had a rough week, as usual. The company has been quietly sharing people’s personal data—and those of people’s friends—with phone-makers, including Huawei, a Chinese firm that is said to have close ties to the Chinese government. The data included, per a report by the New York Times: people’s “religious and political leanings, work and education history and relationship status.” Facebook also revealed that a since-fixed “bug” accidentally nudged an estimated 14 million people to make their posts public.
Bonus: The Wall Street Journal has an excellent piece on the clash of cultures between Facebook and WhatsApp, a chat app the social media site acquired for $22-billion.
Apple’s antidotes. Apple unveiled data privacy and other updates at its worldwide developers’ conference, or WWDC, this week. The company boosted its Safari browser with protections designed to thwart online tracking. It showed off a feature, ScreenTime, for combating phone addiction. And within the code for Apple’s new mobile operating system, iOS 12, inquisitive techies found traces of what appear to be Apple’s plans to expand its face-scanning technology, FaceID, to the iPad as well as hints of a feature that make it harder for law enforcement to hack iPhones in the course of their investigations.
China’s chops. Americans are worried that China is getting very good at targeting prospective defectors who have access to high-value information, and recruiting them to become informants and spies. The Wall Street Journal takes a look at a few recent cases, many of which involved people who struggled with debt. Meanwhile, DEFCON, one of the world’s biggest hacking conferences, debuted a Chinese version of the event. The summit could forge closer ties between the U.S. and Chinese hacking communities.
To breach his own. Security researcher Troy Hunt recently confirmed a hacker’s claim to have stolen a database containing information on 26 million users of Eventbrite’s Ticketfly service. The loot apparently includes email addresses, home and billing addresses, and phone numbers, though no passwords. In the wake of another incident, MyHeritage, an Israeli genetic testing company, is urging its users to change their passwords after it discovered that email addresses and hashed passwords for 92 million users were potentially compromised.
It’s good to be king. Cloud security firm Zscaler, which went public earlier this year, has claimed the title of the best performing tech IPO of 2018. The company’s shares have zoomed 164% to $40 per share since their stock exchange debut in March.
I simply refuse to believe this is possible.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
People who value their privacy come from all demographic groups, but the impact of consumer tracking varies greatly by race, class and power. When you’re the “right” race, gender and sexual orientation, when you’ve got the right schools and jobs on your profile, marketers use tracking to flatter and include you. When you’re not, tracking is more likely to be used to exclude or exploit you. This disparate impact is a civil rights issue, and it should be treated like one by Congress.
MIT Scientists Create ‘Psychopath’ AI Named Norman by Carson Kessler
ONE MORE THING
‘X’ marks the spot. In the 19th century, an adventurer named Thomas J. Beale supposedly deposited millions of dollars worth of precious metals and gemstones in a Virginian forest. He left behind three ciphers detailing the fortune’s location, only one of which has been solved to date. Many people have tried to decode the wealth’s exact whereabouts; all have failed. As a weekend read, I recommend this account of the hunt for Beale’s buried treasure by Mental Floss. It’s a gripping, albeit lengthy, tale.