The phishing scam looks like the familiar pop-up which routinely prompts iPhone users to enter their Apple ID password when doing things like downloading apps or upgrading the operating system — and it’s nearly impossible to tell the difference.

It’s not believed such a phishing scam is currently in the wild but Apple iOS code researcher Felix Krause has demonstrated just how simple it is to create a fake Apple ID login form and steal peoples’ personal details.

In a blog post this week he showed how he could “easily get the user’s Apple ID password, just by asking”. The result is quite eyebrow-raising, to say the least.

Can you tell the difference between the real pop-up and the phishing attack below?

“The goal of this blog post is to close the loophole that has been there for many years, and hasn’t been addressed yet,” Mr Krause wrote.

“For moral reasons, I decided not to include the actual source code of the pop-up, however it was shockingly easy to replicate the system dialogue.”

The most common phishing attacks are usually deployed via e-mail and are designed to trick the victim into clicking a malware-infected link or giving up their details which can be used to burrow into their digital life.

Phishing attacks within mobile apps are mush less common and what makes this one so potentially dangerous is the fact that iPhones users are so accustomed to the ‘Enter your Apple ID’ pop-up.

“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” he wrote. “This could easily be abused.”

HOW TO PROTECT YOURSELF

According to Mr Krause, if you’re presented with a pop-up you think might be dubious, hit the home button and see if the app quits.

“If it closes the app, and with it the dialogue, then this was a phishing attack,” he wrote.

However if the dialogue box and the app are still visible, then it’s a legitimate system prompt from Apple. “The reason for that is that the system dialogues run on a different process, and not as part of any iOS app.”

Alternatively, if you want to be on the safe side you can dismiss the pop-up box and go into ‘Settings’ to enter your ID password manually.

Apple has been contacted for comment.

Originally published as iOS code expert shows devastating potential of simple iPhone phishing attack