Apple's Siri contact suggestions to identify unknown calls and messages has been a helpful feature, giving us a probable idea of who the user may be, just in case we don't have the number saved on the phone. However, in a new development, cybersecurity company Wandera has now demoed how this Siri feature can be easily exploited and used for phishing attempts in the future. When a number is unknown, Siri attempts to find suggestions by throwing a 'Maybe: XXXX' banner on your incoming call screen or in iMessages as well. Phishers may try to use this Siri's 'Maybe' feature to mislead users of who they really are.
Fortune explains that this trick works in two ways - one way is to just make a fake account of the name you want to display in the Siri feature, and send an email to the target. If the target responds, then the 'Maybe' feature will show the fake account name every time the phisher calls or texts in the future.
"There are two ways to pull off this social engineering trick... The first involves an attacker sending someone a spoofed email from a fake or impersonated account, like "Acme Financial." This note must include a phone number; say, in the signature of the email. If the target responds-even with an automatic, out-of-office reply-then that contact should appear as "Maybe: Acme Financial" whenever the fraudster texts or calls next," the report notes. The second way is via text messaging. "The subterfuge is even simpler via text messaging. If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone's suggested contacts feature should show the entity as Maybe: [Whoever]," the report explains.
Bloomberg's Mark Gurman notes that this Siiri contact suggestions feature has been around since iOS 9, and for all the users who don't wish to be misled, Apple could easily add a switch to toggle the Siri feature off. Wandera said it reported this issue to Apple which noted it as a software issue, and not a security vulnerability.