darkcybe
  • 👋whoami
  • Security Operations
    • 💉Threat Mangement
      • Identify
        • Developing a Security Program
        • Governance, Risk, and Compliance (GRC)
        • Security Architecture
      • Protect
        • Vulnerability Mangement
        • Identity and Access Management (IAM)
        • Zero Trust
    • 👩‍💻Threat Detection
      • Detect
        • Continuous Monitoring & Security Operations Center (SOC)
        • Cyber Threat Intelligence (CTI)
    • 🚒Threat Response
      • Respond
        • Digital Forensics and Incident Response (DFIR)
      • Recover
  • Offensive Security Operations
    • 🎯Penetration Testing
      • Techniques
        • MITRE ATT&CK
          • Reconnaissance
          • Resource Development
            • T1608 - Stage Capabilities
              • Staging Malware and Tools on Kali Linux
          • Initial Access
          • Execution
          • Persistence
          • Privilege Escalation
          • Defense Evasion
          • Credential Access
          • Discovery
          • Lateral Movement
          • Collection
          • Command and Control
          • Exfiltration
          • Impact
        • CAPEC
          • 100 - Overflow Buffers
          • 66 - SQL Injection
          • 94 - Adversary-in-the-Middle (AiTM)
          • 252 - PHP Local File Inclusion (LFI)
          • 560 - Use of Known Domain Credentials
          • 644 - Use of Captured Hashes (Pass-the-Hash (PtH))
          • 633 - Token Impersonation
        • Technology Focused
          • Cloud
            • Amazon Web Services (AWS)
            • Google Cloud Platform (GCP)
          • Network Protocols and Services
            • Port 20/21 - FTP
            • Port 22 - SSH
            • Port 23 - Telnet
            • Port 25 - SMTP
            • Port 53 - DNS
            • Port 80 - HTTP
            • Port 110/995 - POP3
            • Port 135/593 - MSRPC
            • Port 137-139 - NetBIOS
            • Port 143/993 - IMAP
            • Port 443 - HTTPS
            • Port 445 - SMB
            • Port 3389 - RDP
            • Port 5355 - LLMNR
            • ARP
            • Databases
              • Port 1433/1434 - MSSQL
              • Port 3306 - MySQL/MariaDB
            • DHCP
          • Web
            • PHP
          • Windows
            • Active Directory
          • Wireless
          • Linux
      • Offensive Security Tools
    • 🚩Capture The Flag (CTF)
  • Guides
    • 🔍DFIR
      • Evidence Artifacts
        • Event Logs
        • Windows
          • Evidence of...
            • Account Usage
            • File Download
            • Program Execution
            • External Device Activity
            • File and Folder Interaction
            • Lateral Movement
            • Network and Browser History
      • DFIR Tools
        • Malware and File Analysis
          • Sigcheck
          • DensityScout
        • Memory Forensics
          • Volatility
        • Program Execution
          • PeCmd
          • WxTcmd
          • AmcacheParser
          • JumpListExplorer (JLE)
          • AppCompatCacheParser
          • SrumECmd
        • DFIR Toolkits
          • Registry Explorer
          • Incident Timelines
      • Theat Analysis
        • Analysis
          • iOS Popup Scam
        • Emulation
    • 🥷Ethical Hacking
      • Exploitation
      • Post-Exploitation
      • Reporting and Documentation
    • ⛳CTF Walkthroughs
      • 📦Hack The Box (HTB)
        • 🚶HTB Walkthroughs
    • 👷‍♀️Security Engineering
      • Building a Cybersecurity Home Lab
        • Step 1: Lab Design and Architecture
        • Step 2: Installing and Configuring VMware ESXi 8
        • Step 3: Installing the OPNsense Firewall
        • Step 4: Configuring OPNsense Firewall Rules
  • General Resources
    • 🐳Deep Dives
      • Public Key Infrastructure (PKI)
    • 🐍Programming
      • Python
    • 🏋️Training
      • 🗓️Study Methodology
    • 🥠Semi-Pro Tips
      • Linux
      • Windows
      • Resources
Powered by GitBook
On this page
  • Investigation
  • Remediation
  • IOCs
  1. Guides
  2. DFIR
  3. Theat Analysis
  4. Analysis

iOS Popup Scam

Analysis and response to an iOS scam that prompts a user to download a suspicious application from the Apple App Store.

PreviousAnalysisNextEmulation

Last updated 1 year ago

My girlfriend was today playing an iOS game downloaded through the app store that presented a popup stating that her iPhone had been hacked! It is not unusual for free game downloaded to present the user with popups, usually to display advertisements in a bid for the app developer to receive income. Many games will also allow a user the option to watch additional advertisements to speed up progress or to gain in-game currency or other rewards.

In this particular instance, the game presented the below popup. Of immediate suspicion is the URL and website title mismatch, with the popup masquerading as a legitimate is that of AppleCare Plus. The tried method of instilling a sense of urgency to the end user is leveraged with a proclamation that the target device has been hacked and that immediate action is required.

Investigation

Breaking down the URL grants the following information:

  1. linkthetrafficmedia.com/

    • linkthetrafficmedia as the parent domain is a add serving provider.

    • Address: 104.21.94.70 (CloudFlare CDN)

  2. HFmx46Qr

    • The filename of the page being served. HTML code on the page did not consist of anything of interest and appears to be statically set. This value is highly likely to change.

  3. cost=0.001972746

    • Possible cost per add served?

  4. external_id=166529318109990TAUTV49836334174V251

    • Possible service identification?

  5. ad_campaign_id=304067220

    • An identification number for the add campaign

  6. source=6307776-624692278-4260646726

    • Possible user identification?

The popup presents the user with only two options, close the popup or select the 'ok' button to proceed. Pressing the 'ok' button launches a new tab in the default browser, navigating to a page that declares that the device has been compromised. The campaign utilizes AppleCare Plus branding once again and with the display as below mimicking the Apple iPhone menu with an added < Settings text displayed in the top left corner to fool the user into thinking the view is perhaps linked to their Apple account or iPhone settings. Exiting out of the popup does not launch any further popups or windows.

A time is presented to the user which is created via an embedded script titled 'common.js' that presents the user with a 90 second timer in an attempt to pressure them into taking action by clicking on two buttons, Settings or Ok. Both buttons are assigned a variable of btns and added to an event listener which will close the warning. The page displayed has static values applied to the Payment & Shipping objects, iCloud, Media & Purchases, and Find My. These statically set values are done so within the HTML code.

var now_seconds = 90,
    timer = document.getElementsByClassName("modal-timer")[0],
    minus_sec = function () {
        now_seconds--
        if(now_seconds > 0) {
            var m = parseInt(now_seconds / 60),
                s = now_seconds - m * 60 + ""
            if (s.length <= 1) s = "0" + s
            timer.innerHTML = m + ":" + s
            setTimeout(minus_sec, 1000)
        }else{
            timer.innerHTML = "0:00"
        }
    }
minus_sec()

var modal = document.getElementsByClassName("modal")[0],
    btns = document.getElementsByClassName("modal-btn")
for(var btn of btns) btn.addEventListener("click", function (e) {
    e.preventDefault()
    modal.style.display = "none"
})

Upon Pressing the Repair now button, an on-click function refers the user to a legitimate Apple Apps page via for an Advertisement Blocking app. Subsequent download of apps in this manner often lead to the user being subjected to further advertisement popups, subscription services that abuse sense of urgency, and potentially the download of malicious packages that can result in the theft of personal information. Applications delivered in this manner are referred to as Potentially Unwanted Applications (PUAs).

<html lang="en">
<head><base href="/lander/applecare-plus8-1/index.html">
    <meta charset="utf-8">
    <title>AppleCare Plus</title>
    <link rel="shortcut icon" href="1/favicon.png" type="image/png">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

    <link rel="stylesheet" type="text/css" href="1/SanFrancisco/stylesheet.css?rand=1.0" />
    <link rel="stylesheet" type="text/css" href="1/common.css?v=1.0" />
    <script src="https://analytics-active.com/js.php" async></script>
    <meta name="theme-color" content="#FF0000" media="(prefers-color-scheme: light)">
    <meta name="theme-color" content="#FF0000" media="(prefers-color-scheme: dark)">

        <script>
alert('Your Apple iPhone has been hacked. All operations on your device are being tracked by the hacker. Immediate action is required!');


//window.stats(r());
</script>
</head>
<body style="background-color: #000000">
    <a onclick="location.href = 'https://linkthetrafficmedia.com/?_lp=1&_token=uuid_2vl208749tdo1_2vl208749tdo16342668946aaf0.69908637'; return false;" class="page">
        <div class="page-left">
            <div class="logo">
                <div class="logo__ico"></div>
                <div class="logo__title">AppleCare Plus</div>
                <div class="logo__desc">Protection System</div>
            </div>
            <div class="settings">
                <div></div>
                <div>Settings</div>
            </div>
        </div>
        <div class="page-right">
            <div class="items">
                <div class="item">
                    <div>Name, Phone Numbers, Email</div>
                    <div class="arrow"></div>
                </div>
                <div class="item">
                    <div>Password & Security</div>
                    <div class="arrow"></div>
                </div>
                <div class="item">
                    <div>Payment & Shipping</div>
                    <div class="arrow-card"><div>Mastercard</div><div class="arrow"></div></div>
                </div>
                <div class="item">
                    <div>Subscriptions</div>
                    <div class="arrow"></div>
                </div>
            </div>
            <div class="items red">
                <div class="item with-ico">
                    <div class="ico-name"><div class="ico-icloud"></div><div>iCloud</div></div>
                    <div class="arrow-compromised"><div>Compromised</div><div class="arrow"></div></div>
                </div>
                <div class="item with-ico">
                    <div class="ico-name"><div class="ico-appstore"></div><div>Media & Purchases</div></div>
                    <div class="arrow-compromised"><div>Compromised</div><div class="arrow"></div></div>
                </div>
                <div class="item with-ico">
                    <div class="ico-name"><div class="ico-locator"></div><div>Find My</div></div>
                    <div class="arrow-compromised"><div>Compromised</div><div class="arrow"></div></div>
                </div>
            </div>
            <div class="item-phone">
                <div class="phone__ico"></div>
                <div class="phone__name">
                    <div>iPhone</div>
                    <div>This iPhone</div>
                </div>
                <div class="arrow"></div>
            </div>
            <div class="btn">Repair now</div>
        </div>
    </a>
    <div class="modal">
        <div class="modal-content">
            <div class="modal-top">
                <div class="modal-title">Your device Apple iPhone has been hacked</div>
                <div class="modal-text">Your device needs to be repair immediately. Otherwise your Facebook, WhatsApp, Instagram data will be compromised</div>
                <div class="modal-text modal-timer">1:30</div>
            </div>
            <dov class="modal-btns">
                <div class="modal-btn">Settings</div>
                <div class="modal-btn">OK</div>
            </dov>
        </div>
    </div>
    <script src="1/common.js?rand=1.0"></script>
</body>
</html>

Remediation

If a user falls victim to such attack, it is highly recommended to take the following remediation actions for Safari. Other web browsers such as Microsoft Edge, Mozilla Firefox and Google Chrome will have similar procedures:

  1. Clear iPhone/iPad History and Data

    • Settings > Safari

    • Clear History and Website Data

  2. Disallow JavaScript Execution

    • Settings > Safari > Settings > Advanced

    • Toggle the JavaScript button to off

Apple provide a great reference for Recognizing and avoiding phishing messages, phony support calls, and other scams.

IOCs

Object
Value
Description

URL

hxxps://linkthetrafficmedia.com/HFmx46Qr

Serves popup through advertisement.

IP

104.21.94.70

CloudFlare CDN hosting linkthetrafficmedia[.]com

App

Neo Protect: AdBlock

Application offers AdBlocking services, subscription service is offered at USD$7.99 per week. App Store URL : hxxps://apps.apple.com/kg/app/neo-protect-adblock/id1572287518

🔍
AppleCare Scam - linkthetrafficmedia.com
AppleCare Scam - linkthetrafficmedia.com
AppleCare Scam - linkthetrafficmedia.com - Neo Protect