Attempting to compromise an iPhone via iMessage (or any mobile device via sms) is possible and has been successfully done before. This type of attack is known as a SMS phishing or Smishing where an attacker will send you a message which contains a malicious link or attachment which will be used to either directly comprise your device by installing malicious software or direct you to a page where an attacker will attempt to capture your credentials for a particular site/service such as iCloud. The attacker will typically try to get you to click on the link by using scare tactics such as stating that someone has stolen money from your account, your software is out of date, your device has a virus, or something to that effect.
The attacker will also try to play on your sense of urgency stating that the matter needs to be addressed now. This is done to prevent you from clearly thinking about what is actually going on. Humans tend to make mistakes or take shortcuts when under immense pressure and the attacker is hoping that by rushing you to make a decision, you’ll fail to properly vet their request.
Here are some tips that can help you spot SMS phising attacks:
- suspicious of numbers you don’t recognize. If the message says your bank account has been compromised for example, go directly to the banks website or call their customer support number instead of clicking the link as it could be a trap
- Check the time when the message was sent. If the message was sent during an unusual time such as 4:00 AM, this can be a sign that it was an automated message
- Treat messages that state “you must act now!” with suspicion. This is a common sign of social engineering attacks in general
- Report the message/block the number. Reporting the message allows your service provider to review the message and add the number to a service wide block list. Additionally, service providers can review the contents of the message and block similarly crafted messages. If the message is threatening, you could also report the message to the Internet Crime Complaint Center.
Here are a few examples on how Google’s Project Zero team was able to compromise an iPhone: Google Hackers Found 10 Ways to Hack an iPhone Without Touching It
As always, please contact us if you have any questions regarding how to secure your mobile device from bad actors (aka the bad guys)!