Submitted by Quick_Abbreviations4 t3_1137253 in iphone
Quick_Abbreviations4 OP t1_j8od16r wrote
Reply to comment by tj_ward in Is this mail from the REAL Apple? by Quick_Abbreviations4
Yeah, I tought that too. I clicked the link, but the link name was fishy itself soo I immidietly left and decided to post this. Thanks tho
Bootaymole t1_j8oq0cr wrote
Never click on the links if you’re suspicious about the email.
Quick_Abbreviations4 OP t1_j8ot6zx wrote
Thing is, I wasn't suspicious of the email. Since I'm not a native English speaker, the words just went past my brain and I read them the way they were supposed to be written. I was suspicious when I opened the link. While it was loading I glanced over the link and it just didn't seem right so I lfet the site before it even loaded
expertmysteryshopper t1_j8otkn9 wrote
if you know html coding , that web site has already gather a lot of information about your device . since you click on the link.
Quick_Abbreviations4 OP t1_j8ou63j wrote
Well, fuck me I guess
alphinex t1_j8ow3es wrote
Ehem… with HTML only you can’t gather any informations. And with JavaScript, you can’t get that much as well.
I would assume, as long as you are not giving any informations by yourself, you are more or less safe on the web.
The only way to gather more informations not letting the user know about it, is using a vulnerable bug (one of that was getting fixed in iOS 16.3.1), but I don’t know how far you will even get with that.
Cool-Click1253 t1_j8pdlbr wrote
I’m a web developer and I can confirm this is 100% accurate, just don’t visit suspicious links anyways just so you’re extra safe in case they’re utilizing an unknown vulnerability
expertmysteryshopper t1_j8pvahp wrote
well there is XML , i used to be a web designer using microsoft front page
alphinex t1_j8swepz wrote
XML can’t do anything more than HTML. What’s your point? There is literally no logic in HTML or XML.
Please just take the advice by u/Cool-Click1253 and me, seems like we are both web developers, maybe both with some decades of experience (but we can still be wrong). You cant gather sensitive informations (or any other) via XML or HTML (based upon XML btw…). HTML is only a HyperTextMarkupLanguage, no programming language. its only to describe the structure of the page which should get (mostly visible) rendered.
But still, you are right, that you shouldnt click the link in the first place, if it looks suspicious.
[deleted] t1_j8oty0b wrote
[removed]
[deleted] t1_j8q4nye wrote
[deleted]
DarkNet-Magic t1_j8osvyf wrote
If you clicked on the link, change your Apple password immediately.
Phishing links like this (usually) simply just require you to click on them, then it immediately sends your credentials for the account they’re trying to access back to the scammer. A major red flag that is what is happening, is if you happen to click the link, and it opens up the application on your phone. That tells you that they just got your username and password for that account. However, just because you click the link and the application doesn’t open, doesn’t mean they still didn’t get your credentials.
Never, and I mean, never click on links that you don’t recognize, or have any doubt toward their legitimacy. Better safe than sorry by just not clicking the link to begin with.
Again, since you did click the link, I highly recommend changing the password for your Apple account immediately. Even if you clicked the link and immediately exited out, it doesn’t matter. If they were phishing for your information and just needed you to click the link to get it, then they got it as soon as you clicked.
I’ve worked Cyber Security for a very long time now, I see scams like these all of the time, have learned how to identify them pretty quickly, and figured out what they do and how they do it. Always be on the lookout, some of the emails I’ve seen look pretty damn legit, but there is always a way to point out a fraudulent email from a real one.
Quick_Abbreviations4 OP t1_j8otkzs wrote
I haven't changed it yet, I'll do it immidetly. Will I suffer any consequences for waiting this long?
DarkNet-Magic t1_j8p30qe wrote
As long as you haven’t noticed any fraudulent activity within your Apple account, then you should be fine.
If you wanted to be extra cautious, you would also change the passwords of any other accounts that use the same password as your Apple account (if applicable), or at the very least, change the password of any accounts that use the same email address and password of your Apple account (if necessary).
Not all scammers are clever enough, or care enough, to tap into other accounts that use the same credentials, but it’s very common that they may try. They may also be phishing for the purpose of mass collecting credentials to sell on the darknet.
Again, that’s if you want to be extra cautious, but as long as you change your Apple password you should be alright.
elementaldelirium t1_j8ow3kd wrote
How does it get your password from just clicking?
DarkNet-Magic t1_j8p4rx9 wrote
It varies by how the programmer sets up the phishing link (there are also tons of templates scammers can grab online to make basic phishing links as well). But the way it works in most cases, is once you click on the phishing link, it then directs the code to open the application they are attempting to grab the credentials for. Once it opens the target application, it uses the credentials saved in the application (like when you open the application and it is automatically signed in), it then shoots those credentials (email and password) back to the scammer in a .txt file.
These guys literally get incredibly long lists of emails and passwords for the application they are targeting, go through and access those accounts so they can have access to your saved financial information, steal it, or use it to send themselves money.
Standard-Plan1506 t1_j8p4jh1 wrote
Sorry but that’s bs, clicking the link won’t give away anyone’s password. That’s why they’re trying to scam you into typing it yourself. You have to allow a website or an app to log in using your Google or apple login; and even if you do it’s encrypted anyway, no one’s gonna see it
DarkNet-Magic t1_j8p6wm7 wrote
Clicking a link absolutely will jeopardize your password. Albeit many phishing links aren’t that complex or intricate, but they are more common than you think.
I do pen-testing in my free time on the side, you would be amazed how often I come across those types of links. Apple accounts are more difficult to bypass, sure, but encryption isn’t an automatic guarantee of security, it just requires a little more complexity in the scripting.
Standard-Plan1506 t1_j8p98k2 wrote
No it won’t, stop making up these stories. You won’t get logged in anywhere unless you specifically confirm it by providing your password.
DarkNet-Magic t1_j8padjz wrote
I am not making anything up? Why would I have a reason to lie to a stranger on Reddit. If you haven’t come across those types of phishing links, that’s good for you, but to blatantly deny they exist is pure ignorance.
Standard-Plan1506 t1_j8pb59u wrote
I don’t know you tell me darknet pentester security engineer. Try me with your script, tell me my password
DarkNet-Magic t1_j8pbzp2 wrote
I never said I was a “security engineer”. I said I work in Cyber Security, which Pen-Testing falls under.
Better yet, I’m not wasting nearly two hours creating a phishing script to prove a point. Again, a stranger on the Internet doesn’t mean anything to me.
With that being said, I conclude my conversation with you.
Standard-Plan1506 t1_j8r7aa2 wrote
You're talking about session hijacking, mate, you need an exploit to make it work. The idea that you can create a phishing script in 2 hours to steal data from ios is ridiculous. And it's not going to produce a txt with login and pass, that's complete bs. You're familiar with 2FA, right?
Viewing a single comment thread. View all comments