The scam is well-known and widespread: emails and text messages ask users to access a specific URL – under the pretext that access to a specific user account would otherwise be restricted. Civil rights activists in Egypt have noted that these attacks have been increasing since 2023 and are targeting civil rights activists, journalists and opposition politicians. Among other things, attackers tried to gain access to the Apple account in this way.
Destination iCloud backup
Initially, the attacker ignored these messages. After repeated similar requests, he accessed the URL and logged in with his account details. This is how the attackers found out the password. A subsequently triggered two-factor authentication would have completed the account takeover. Fortunately, the iPhone user noticed the location of the access attempt: it was located in Cairo. However, the user was in Lebanon at the time.
Multiple attacks on many levels
The civil rights organization Access Now documented several cases in the Middle East and North Africa. In addition to Apple accounts, the concerted attacks targeted Microsoft accounts as well as WhatsApp and Signal Messenger, among others. An organized group that Lookout Research calls “Bitter APT” (APT = Advanced Persistent Threat) is responsible. In the Android operating system, it also relies on a spyware framework called ProSpy, which it integrates into compromised apps. Apparently, the security researchers conclude, the group is commissioned by a wide variety of government organizations and does not place great demands on the legitimacy of the attacks.
Vigilance is required
For Apple users, the attacks rely on attrition rather than exploiting gaps in the software. Apparently iOS poses difficult hurdles for malware to overcome. In response to the loopholes exploited by Pegasus, Apple developed the blocking mode, which the company recommends to exposed and prominent personalities. To date, according to Apple, no iPhone that has been used in this mode has been hacked.