Chinese government apparently collecting iCloud credentials through phishing attacks

iCloud phishing (image 001)

The Chinese government is reportedly phishing iCloud credentials of millions of people by staging a so-called man-in-the-middle attack which redirects unsuspecting users to a spoofed webpage that appears shockingly similar to the real iCloud.com website, Great Fire reported Monday.

Fooled users who type in their username and password into the fake web form risk exposing their iMessage communications, photos, contacts, reminders, calendars and other personal information associated with their Apple ID to a third-party. The problem is further accentuated by the fact that the popular Chinese browser Qihoo does not warn users that they’re visiting a fake website.

The nationwide attack coincides with the iPhone 6 and iPhone 6 launch today in China. “This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc,” reported Great Fire.

Man-in-the-middle attacks uses independent connections with the victims and relays messages between them as if the victims were using a secure connection. A similar attack is said to target Microsoft’s login.live.com website as well.

Chinese users can mitigate the issue in several ways:

  • Use Safari, Chrome, Firefox or some other web browser that has built-in privacy protection and warns users when they attempt to visit a phishing website.
  • Create a VPN connection on their device to connect directly to iCloud.com.
  • Protect their Apple ID with two-factor authentication which requires both iCloud credentials and a one-time 4-digit code pushed to a user’s trusted devices.

The report doesn’t explain why the Chinese government would launch such an attack on Apple, whose devices are increasingly popular in the 1.33 billion people market.

On the other hand, governments in the United States and elsewhere grew very concerned after Apple stepped up security in iOS 8 and on its latest devices so maybe this is how the Chinese government responds to the increased security of Apple users.

At any rate, if you haven’t yet you’re wholeheartedly recommended to enable two-factor authentication for your Apple ID, here’s how.

Using two-factor authentication combines something you know (a password) with something you own (a device) and can go a long way toward saving you headache in case someone steals your username and password through social engineering and by other means.

[GreatFire via The Verge]