Researchers at Cisco Talos has discovered a new click fraud campaign that puts iPhone users at risk. The same technique can be used for far more critical malicious actions.
According to Cisco Talos Intelligence, there is a website that is capitalising on a flaw in legacy iOS to trick iPhone users. The website, named Checkrain, promises to help users leverage the Checkm8 vulnerability to jailbreak their iPhone. However, instead of jailbreaking a device, Checkrain prompts users to download a malicious profile that cybercriminals then use to conduct click fraud.
How the fake campaign works
The attackers being tracked by Cisco Talos preys on users searching for the legitimate Checkrain project. The fake site tries to appear legitimate by claiming to work with jailbreaking researchers such as CoolStar and Google Project Zero’s Ian Beer, but contains several giveaways indicating it’s fake – including the mention of the A13 chipset. Only iOS devices running on the A5 to A11 chipsets are vulnerable to Checkm8. Further, the site suggests that the Checkrain jailbreak can be installed without a PC, when in reality the Checkm8 exploit requires the iOS device to be in DFU mode. Finally, Cisco Talos points out that the actual site doesn’t have an SSL certificate, while the fake site uses an SSL certificate from LetsEncrypt.
Any user visiting the fake website is asked to install a «mobileconfig» profile on their iOS device. Once installed, a Checkrain icon appears on the user’s springboard. The icon, however, is a bookmark allowing users to click on the jailbreak app and prepare the fake jailbreak. At the end of the process, users will notice multiple redirects occurring on their device. «This ultimately occurs in click-fraud, resulting in multiple verification chains and then finishing on an iOS game install, with in-app purchases available», the researchers from Cisco Talos explain.
Cisco Talos found that most victims of the fake site are based in the US, the UK, France, Vietnam, Australia, Canada, Turkey, the Netherlands and Italy.
Jailbreaking is a major security risk
The fake Checkrain site simply leads to click fraud, but Cisco Talos points out that the same technique could be used for more malicious and critical actions. Instead of a web clip profile, the attackers could implant their own MDM enrolment.
Jailbreaking is used legitimately by researchers and users, but it can leave your phone and data open to attack. An attacker could jailbreak a device for malicious purposes, eventually obtaining full control of the device.