Skip to main content

PSA: Cybersecurity company demos how Siri feature can be used for phishing

A cybersecurity company has demonstrated how a Siri feature could be exploited by scammers to assist with phishing attempts.

The approach replies on the way that Siri attempts to identify unknown callers, potentially presenting you with a misleading impression of who they are …

When Siri doesn’t recognize a caller, it uses a couple of different approaches to try to work out who it may be. It then presents that to you on your incoming call screen as ‘Maybe: Whoever.’

Although the ‘Maybe’ is a clue that Siri isn’t certain of the caller’s identity, some unwary people might rely on it, for example if it names their bank.

Fortune reports cybersecurity company Wandera explaining how it works.

There are two ways to pull off this social engineering trick […] The first involves an attacker sending someone a spoofed email from a fake or impersonated account, like “Acme Financial.” This note must include a phone number; say, in the signature of the email. If the target responds—even with an automatic, out-of-office reply—then that contact should appear as “Maybe: Acme Financial” whenever the fraudster texts or calls next.

The subterfuge is even simpler via text messaging. If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone’s suggested contacts feature should show the entity as “Maybe: [Whoever].”

Apple does block certain phrases – like ‘Bank’ or ‘Credit union’ – but not the names of specific banks, so it would present the guessed identity for something like Wells Fargo.

As Bloomberg’s Mark Gurman notes, this has been possible since iOS 9.

Wandera said that it reported the issue to Apple back in April, but the company said that it didn’t consider it a security vulnerability. Apple did say that it had noted it as a software issue ‘to help get it resolved,’ suggesting that it may tighten protections.

You probably already view Siri contact guesses as just that. However, it’s probably worth being aware that scammers may be trying to exploit a potential vulnerability.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear