My wife recently received an spoofed email that purportedly came from our veterinarian. There was a zip file attached, and my wife tapped it (she was on her iphone at the time). Nothing happened, but she almost immediately realized that the email was not from our vet.
It’s my understanding that iOS doesn’t open zip files (certainly her phone didn’t open the file), but one of my wife’s friends just received a spoofed email from my wife. The email went like this:
It’s also possible it’s some new vulnerability that Apple hasn’t found yet, but it’s way more likely that it’s a known vulnerability that’s well publicized.
Under most circumstances a factory reset will take care of everything, but . . . you’ll want to say ‘NO’ to the restore from backup option. Which means you’ll need to reinstall every single app, doc, photo, etc yourself. If you have a backup. So brace yourself.
And a HUGE point I must bring up, make sure you know the email and password you set the iPhone up with. Because when you do a factory reset, it will normally require those . . . and if you don’t, it’s a brick. Forever. I worked for a few years in tech support for one of the top mobile carriers, and there were more than a few times I had to break the bad news. iPhones can indeed be more secure, but if you loose/forget the AppleId and password information, your carrier has NO information on that, and Apple support will not likely be able to help you unless you purchased it directly from an Apple Store.
ETA - oh, if you have 2 factor authentication on your Apple ID, you might want to swap the SIM to another phone temporarily so that if required, you can get the 2nd factor completed. Yes, stupid chicken and the egg issues. You can do iPhone setup over wifi in the meantime.
Infecting an iPhone with a zip file in an email attachment is virtually, if not entirely impossible. Zip attachments of this sort usually contain Windows executable .exe files which wouldn’t run on an iPhone even if the iPhone was able to extract the zip file in the first place, which it can’t. Emailed viruses almost exclusively target Windows or Android devices, and the vulnerability @iamthewalrus_3 linked is a completely different kind of attack.
Changing email passwords is prudent here, but not wiping the phone. Email address spoofing doesn’t even require someones computer/phone/accounts to be hacked. Spammers routinely use an email address from the list of people they’re spamming as the return address to make it look more legitimate, and to deflect the “take me off your list” responses and bounce-back messages. This is called backscatter, and there’s little you can do about it until it passes by. Beyond that though, if the email account was compromised (hence changing passwords is a good idea), or if a friend of your wife’s account was compromised, that’s how they got the names to use for their spoofed sender email addresses.
The point of my link was that contrary to semi-common belief about iOS or Apple systems being secure, there are exploits of them. I didn’t intend to suggest that this specific vulnerability was the one that was used.
Sure, but exploits existing doesn’t mean they are also being utilized, and in this particular case I am not aware of zip files being a viable delivery vector, which is what’s pertinent here.
Is it possible though that the file wasn’t actually a zip file? I remember some viruses in the past would disguise themselves as a filetype, but actually be an executable or even just a link to a compromised website.
It seems odd to me that they would be able to contact someone in the wife’s contacts and know to pretend to be her without some sort of compromise.
Granted, she could have been compromised elsewhere.
My initial thought on this was that the email “from” your wife to someone in her address book was some evidence that her address book had been compromised, but it could just be that your wife and someone else were both in someone else’s address book that was compromised and the attackers are doing a bit of mix/match to try to spread.
I don’t know how likely that is (if you compromise X’s address book that has address Y and Z, would you try to send emails from X->Z or from Y-Z? I think mostly the former, but maybe not), but it’s an explanation that doesn’t require any of your wife’s data to be compromised.