Security News

Apple flaw puts iPhones & iPads at risk

Avast Security News Team, 24 April 2020

Plus, a new phishing scam preys on job insecurity, and a database of over 300 million Facebook profiles sells for about $620 on the dark web

Security researchers found a vulnerability in iOS software that may have allowed hackers to steal data from almost a billion Apple devices over the past two years. Reuters reported that a California-based security firm discovered the bug while investigating a client’s cyberattack that occurred in late 2019. The attack exploited a flaw whereby a blank email sent to the victim triggers a crash and reset of the iOS Mail app, swinging open a backdoor for hackers in the process. The attackers then gain access to whatever information is kept in the Mail app, such as contact lists, photos, and confidential messages.  

The researchers said they found evidence that the flaw was exploited as far back as January 2018, and it still exists even in the most current iOS version, rendering all iPhones and iPads vulnerable. In 2019, Apple claimed there were 900,000 iPhones in active use. The company acknowledged the vulnerability, stating that a fix has been developed and will be issued as a forthcoming update. 

“This is an extremely serious vulnerability that allows any attacker access to a victim’s emails just by sending an email, and it has been around for years,” commented Avast Security Evangelist Luis Corrons. “The good news is that it seems the flaw has only been exploited by a state sponsored group, so it hasn’t been used to widely attack all iOS users. Nevertheless, now that it is known, groups of bad actors will try to exploit this security hole, so all users need to update as soon as the patch is released.”

New phishing scam preys on layoff fear

Amidst an unstable economy in the face of a pandemic, many employees worry about being terminated, and a new phishing campaign has emerged to take advantage of this job insecurity. SC Magazine reported that the newly uncovered scam pretends to be a Zoom invite from the victim’s human resources division. When victims click on the provided link, it takes them to a phony Zoom landing page where they’re asked to enter their login credentials, the targeted loot of this campaign. Researchers said both the email and the Zoom landing page look legitimate, so users are advised to remain vigilant and not panic into clicking the link.

This week’s quote

“Think of it as skipping two generations on a smartphone upgrade.”

- Grant McCormick, a cybersecurity researcher commenting on the Zoom encryption update that will take effect on May 30

US healthcare industry targeted by COVID-19 phishing scams

The FBI issued a flash alert this week about a surge in targeted email phishing attempts against U.S.-based medical providers. The malicious emails tease new information about the coronavirus pandemic, with subject lines such as “COVID-19 Update!!” and “Business Contingency alert - COVID 19.” The malicious emails urge recipients to open the accompanying attachments for more information, but those attachments contain infected files that spread malware to the victim’s system. The bureau offers advice to mitigate risk, suggesting healthcare companies keep their software up to date and be wary of all attachments, even from known senders. 

US small business relief loan applications suffer data breach

Nearly 8,000 applicants to the Economic Injury Disaster Loan (EIDL) program may have been affected by a data breach that allowed applicants to see each other’s personal information such as names, Social Security numbers, home and email addresses, birth dates, phone numbers, and insurance information. The U.S. Small Business Administration (SBA), which runs the program, said that it has addressed the issue on the EIDL website and has notified potential victims of the breach. More on this story in The Washington Post.

This week’s stat

10,000 people!

That’s how many users were tricked by scam websites into purchasing a “Pandemic Survival Guide” with questionable advice. Read the investigation by our Threat Intelligence Team.

UK scam hotline takes down 83 malicious sites in 1 day

Within 24 hours of the National Cyber Security Centre (NCSC) in the UK urging the public to use a new hotline to report suspicious emails and phishing scams, over 5,000 reports were called in, leading to the takedown of 83 cybercriminal campaigns. ZDNet reported that while the hotline was created to mitigate the surge in coronavirus-related scams that target people working from home, it’s a public service the general population of the UK can use to report any type of cyber scam. 

Over 300M Facebook profiles for sale on dark web

At a price of only £500 (about $623), bad actors are selling over 300 million Facebook profiles in underground forums. The profiles do not include any passwords, but they contain other data like full names, phone numbers, email addresses, birth dates, and unique Facebook IDs, which could arm an attacker with enough information to launch targeted spear phishing campaigns, pretending to be Facebook and attempting to trick victims into divulging their passwords. Learn more at Bleeping Computer.

This week’s ‘must-read’ on The Avast Blog

Worried about what government virus contact tracing apps will mean for privacy and security? Learn more about them on the Avast Blog.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.