Beware Obituary Scam Sites and Fake iPhone Security Warnings

Originally published at: Beware Obituary Scam Sites and Fake iPhone Security Warnings - TidBITS

A longtime TidBITS reader contacted me in a slight panic yesterday. While searching on his iPhone for an obituary, he tapped a possible result in the Google search results. The site to which he was sent threw up a bunch of dire-sounding warnings about how his iPhone was infected

He freaked out slightly but rightly immediately closed Safari and hoped all was well. However, 10 minutes later, he received an email from 1Password informing him of a sign-in from a new device or browser extension. That threw him for a loop, so he contacted 1Password support, who confirmed it was a legitimate, coincidental message—seemingly fully unrelated to the malicious site visit.

I want to share how I helped reassure him that there was no reason to worry so you can repeat the process if you or someone you know experiences a similar Web-based malware lure.

Examining the 1Password Notification

I was first curious about the IP address that 1Password identified. When I asked my friend to check it using What’s My IP, he confirmed that it was indeed his IP address as the source of his new sign-in. That confirmed it was at least one of his devices on his network, not a malicious party elsewhere on the Internet.

While it’s not inconceivable that malware could have compromised his device and signed into 1Password from it, it’s quite unlikely due to an extra step 1Password requires: you need both your account password and a Secret Key to log in. (The Secret Key is essentially a second randomly generated password that’s combined with the account password to create the encryption key that protects your data. It’s only stored locally on your devices.) It’s vanishingly unlikely that malware could somehow have exfiltrated the Secret Key from local storage, decrypted it, and combined it with the account password to log in. Nothing is impossible, but malware with such a capability would be used against high-value targets by criminals or governments, not against random people browsing the Web.

I can’t explain why my friend received this notification despite not signing in to 1Password manually on his iPhone or Mac. Research suggests that the message can be triggered by force-quitting Safari, using iCloud Private Relay, clearing the browser’s cache or history, updating the 1Password extension, having a dynamic IP address change (which causes 1Password to think it’s running on a new device or location), or updating 1Password or Safari. Unexplained 1Password notifications seem to be uncommon, so it’s not that these activities will trigger a sign-in notification, just that they might.

Investigating the Malicious Website

Based on years of reading about iPhone security, I’m confident that iOS is hardened against attacks from random websites. In part, this is because Apple’s hardening efforts have been so successful that any ethically challenged person who discovered such an exploit would sell it for millions or use it for targeted attacks against high-profile cryptocurrency holders, as one example. Normal people would report it to Apple.

So I repeated my friend’s Google search and found the site he had clicked as well as several others, all with article post dates of 13 November 2024. The offending site was sloppily built in WordPress and contains what seem to be AI-generated obituaries. You can tell from sentences like “His sudden passing on [insert date] has left those who knew him grappling with loss.” Other signs include the sketchy gambling ads on the pages and the fact that the name of the deceased changes between the title and the text. Oops.

When loaded, the sites quickly started displaying dire-sounding alerts that claimed my iPhone had been compromised—and suggested a system cleaner app or VPN.

Tapping any of the links loaded a second page that immediately redirected to a system cleaner or VPN app in the App Store. I don’t know if these apps are legitimate, though I have my suspicions. I may be willing to navigate to malicious sites in Safari, but I’m not so foolhardy as to install potentially malicious apps on a non-test device.

I won’t link to these apps, but I have reported them to Apple for investigation.

Lessons

What should we take away from this experience?

• Coincidences happen: My friend was worried because of the 1Password notification, but as far as I can tell, it was merely a coincidence. Just because two events occur close to one another doesn’t mean they’re necessarily related.
• Don’t panic: The Hitchhiker’s Guide to the Galaxy had it right: Just because a website displays an alarming alert doesn’t mean that anything bad has happened. The scammers are trying to bypass your rational mind by invoking fear and danger.
• Close the tab or window: To make the scam website go away, tap Safari’s tab button in the lower-right corner of an iPhone or iPad and close the offending tab. On a Mac, close the window with Command-W. If you can’t get the tab button to appear on an iPhone or iPad, tap near the very top of the page—this often reveals the Safari framing.
• Don’t install random apps: If a website you didn’t intentionally visit suggests that you install an app and then redirects you to the App Store, don’t do it. Although Apple reviews all apps in the App Store, its vetting process is far from foolproof. Examples exist of legitimate apps being erroneously rejected while dubious ones slip through. You should always assess app trustworthiness based on factors beyond its inclusion in the App Store.
• Obituaries are easily faked: Perhaps the most troubling aspect of this scam is how it preys on people who are grieving, particularly the elderly. Since obituaries are often relatively similar, they’re easy to fake, and it wouldn’t be difficult to create a site that would automatically generate obituaries for every imaginable name. (Similarly offensive are sites that leverage obituaries to generate search traffic and thus ad impressions with poor AI-generated obituaries, including of living people.)

Stay alert out there.

This reminds me of something similar I encountered this summer.

I play several games on my phone that are ad-sponsored. They have banner ads at the top of the screen and display interstitial video ads between levels.

For a while, this summer, some of those video ads were designed to resemble popups from supposed malware scanners. Of course, it was just playing a video clip. But since it was an ad, tapping anywhere on it would bring you to some site claiming to sell anti-malware apps (similar to what you saw, @ace).

And I occasionally found that one of the banner ads would run a script to open Safari and go directly to the site, without my tapping anything.

I complained to the game publisher (Zynga) and to Apple, and these ads went away in a week or two. But I am under no illusion that scammers are going to find some other way around the rules and present more of the same junk in the future.

Yes! Even ads on legitimate sites or apps can link to sketchy destinations if the ad agency or aggregator selling them doesn’t vet the advertisers sufficiently. It’s yet another black mark against ads.

I would have said that before reading this:

Although saying that “Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems”, that doesn’t mean it couldn’t be exploited on iPhones and iPads. N.b., Apple issued iOS & iPadOS 18.1.1 update specifically to fix:

1. An issue with JavsScriptCore, where processing maliciously crafted web content may lead to arbitrary code execution.
2. WebKit, where processing maliciously crafted web content may lead to a cross site scripting attach.

We don’t know how widely those issues could have been exploited.

FYI, Webkit is what Safari (and Quick Look) uses to parse and display http, parse and execute Javscript (Webkit contain JavaScriptCore) as well as controlling the display of images & video. It’s used not only by Safari, but pretty much every other app which needs to do those those things.

Recent iOS/iPadOS updates circa 2024 & 2023 that contain Webkit or JavaScript security content involving “…may lead to arbitrary code execution” circa 2024 & 2023: 17.3, 17.2, 17.1.2, 17.1, 17, 16.6, 16.2, 16.1.2, 16.1, 16, 15.7.2, 15.7.1 (many more date back to 2022 and before). Webkit/JavScript exploitation has been possible (and used?) for years.

The proverbial bottom line might be: don’t trust links! Unless you trust both the source and destination of the link. Perhaps especially links in advertisements and web search results. But be careful of links in Mail and Messages as well.

Be cautious using any app which loads and displays link contents without your having to actually “click” on anything (i.e., performs zero-click fetching & displaying). Even if it’s only providing a “preview” (yep, previews are processed by Webkit and can involve running JavaScript code). E.g., Auto-playing Video Previews, Mail previews, Notification previews, etc.

Unfortunately there are apps where it’s almost impossible to prevent this. Namely the Messages app is a notorious cause of iOS security issues because it silently, and in the background, will resolve links sent to you in order to try to present previews of them.

Apple has a solution for this, but it’s not a fun one - lockdown mode (in Settings / Privacy & Security). See About Lockdown Mode - Apple Support for more about it. But one of the things locked down is that messages cannot show or send most attachments- something many people wouldn’t want. Lockdown mode is very limiting in other ways.

Honestly it would be nice if Apple offered a setting that merely prevented the messages app from fetching links until the user tapped. Or allowed more powerful blocking extensions like uBlock Origin which worked not only with Safari but with third party apps as well.

Well, it’s the App Store. Apple’s marketing tells us that is what we pay the Apple tax for, so we get to be safe and know that as long as we get our wares from that one special place, they will have been vetted and checked to make sure we are not scammed or harmed.

But, yes, back in the real world, we know that isn’t always as tight as it should be. Good on you for raising Apple’s attention to the apps in question. If their testing and checks missed something first time around, they now should know where to take a closer look. And, of course, it’s possible those apps are indeed ok and it’s just the advertising that’s sleazy.

The Mail app does something similar by default. On iOS/iPadOS at least, you can partially control it by:

1. In Settings > Apps > Mail > Preview: set Preview to None
2. In Settings > Apps > Mail, turn Add Link Previews to Off
   … and (this will have obvious effects):
3. In Settings > Apps > Mail, turn Load Remote Images to Off
   [In other mail clients (and even some webmail interfaces), this last setting is equivalent to turning Off something like “Load Remote Content”. Viewing your email messages without images (and/or some other remote content the message links to) can take some practice, but invariably there will be a link at the top of the displayed message offering to “Load Remote Content” or whatever; you can click on that to fetch & display the email message in all of its sender-intended glory.]

Lockdown Mode may restrict or disable some of these. It may also tweak other non-public settings (not exposed or settable in Settings) as well…

Apple does a good job vetting apps in general, but they often can’t do a thorough evaluation of the libraries an app uses. Libraries can either be bundled into the app (using either open library code – from GitHub or elsewhere – or proprietary non-public library code), or external to the app – often in the form of an Apple-supplied library. For example, essentially every browser app for iOS/iPadOS uses Apple’s Webkit library (I’m not sure, but Firefox’s families of browsers may be an exception; Mozilla has long developed and maintained their own browser engine libraries.)

There is so much code in Webkit that it’s almost impossible to vet every possible code path that an app could possibly activate (in the case of Webkit’s JavaScriptCore component, the number of possible code paths are virtually infinite). Because of this app vetting checks don’t try very hard to check paths through libraries. Ideally, the libraries as a whole itself should have been vetted already. But that’s extremely time-consuming and difficult (maybe getting easier with AI assistance). And then the library has to be exhaustively re-checked whenever there are any changes, updates, or bug fixes … and whenever the HTML standard changes. There is a vast amount of code in Webkit, mostly C++ code (Apple’s version of Webkit includes Objective-C wrappers for API’s that activate C++ code); some of it legacy code dating back possibly as far as 1998. Vetting Webkit is a continuing, unending process.

And don’t be surprised if you notice that some of the CVEs relating to Webkit come from information about flaws discovered by Google. The browser engine underlying Google’s Chrome browser, Blink is a fork of Webkit’s WebCore component which dates back to 2013, and likely contains quite a bit of Webkit legacy code. Google is continuously vetting and testing Blink. And when Google discovers an exploitable flaw in Blink (and has to push out an update to Chrome), there’s a good chance that they’ve uncovered a similar flaw in Webkit. A flaw which may have been around (and exploited?!) for years – only recently discovered as a zero-day.

Right?
But How is it Apple allows you to search the App store and its top result isn’t the app you are looking for. That one is usually the second one listed. Which for the uninformed, they might install the first app.

It was a terrible idea to sell advertising in there. Ads is for Google. Apple should make its money with what it sells to the user, not by selling the user. It’s just a bad idea to let 3rd parties embed themselves into what should be a good user experience. Case in point: if I search for the name of an app, that app needs to be the #1 hit, not some perhaps related app that happened to pay Apple money. I paid you more, Apple, remember that.

And as if on cue, I got another of those fake-malware scam ads tonight. Here’s a screen shot:

Screenshot 2024-12-14 at 22.43.461125×2436 76.8 KB

Note that it is claiming to be an alert from “Apple Security” and claims that there are viruses in my phone and in the battery (?!?) and that if I don’t tap the link and install their software, there will be even more damage.

The ad links to an App Store page for what claims to be a VPN, but that’s where I stopped looking. I would and do assume that anything linked from an ad like that is malware/spyware.