[14.5.1] New SMS Hack?

[frex]

Hi, fellow iOS users, I just got a weird phishing msg from unknown sender with no phone number or email shown, likely SMS via Verizon US line(or the attacker is sophisticate enough to fake about it), and judging from what I saw, it also seemed triggering some bug in Messages app to mix up data from different conversations.
I shutdown the phone and emailed product-security@apple.com for help. Meanwhile, anyone also experienced or heard of this? Is this a new undisclosed vulnerability / attack?

Full story:
I just got a weird message from Unknown sender

And I tap into the message

Green send button, so it's likely a text SMS, not iMessage

Not tapping the link for sure, but I taped the info

(I'm on eSIM+physical, Business line is Verizon Wireless)

And info of this contact again, no email or phone number!

I was alerted and went airplane mode.
Now, scroll down a bit on previous screen it has some recent links I shared with a few different contacts!!!
(preview/text blurred for privacy)

And I double checked again this phone is on 14.5.1 (likely OTA updated a few nights ago).

Copied all screenshots and shut it down for now.

 

[Apple_Robert]

Looks like a phishing attempt to get access to a BoA account (if you happen to have one). Delete the message. No harm has been done to you.

 

[frex]

Looks like a phishing attempt to get access to a BoA account (if you happen to have one). Delete the message. No harm has been done to you.

Maybe no harm, but the truth is you never knew. There's about 4 min between the phone got the msg till I airplaned it.
Regardless, I fully restored it.

 

[humpbacktwale]

Text messages can be sent without an email or contact phone number for the recipient to view. For example 2fa sms codes will frequently display a name, like amazon or twitter, but there will be no email or phone number to view

 

[AdamNC]

I got almost the exact same message on Friday. I deleted it, and soft reset my phone. Everything was fine after that.

 

[Ansath]

OP (@frex). You went a bit OTT with airplane and restoring.

As long as you didn’t tap the link, and just deleted it, would be ok. These SMS scam phishing texts happen often. Just report to your carrier and delete.

My GP (doctors for you Americans), bank, and all sorts, send SMS all the time from text instead of a number, so it’s not hacking or anything to do so. We also get phishing texts in the same way.

 

[frex]

Thank you for reply @Ansath @humpbacktwale

What alarmed me and what you might missed in my post was the fact that when I tap the bogus contact who sent the phishing msg, it shows multiple links and pictures I shared with another real person. I don't think iMessage business accounts and short sms number works like that.

Not sure if @AdamNC has seen exact same observation, if they does, it's pretty serious bug I think.

 

[KaliYoni]

OP: I don't think there's anything wrong with restoring from a backup that predates suspicious behavior. All you lose is some time and, depending on how recently your backup was done, maybe some data. That's better than endlessly worrying, right?

I agree with earlier posters that as long as you did not click the hyperlink or respond to the text in any way, the attacker probably wasn't able to do anything to your phone.

Further, I believe the "associated content" presented by iOS is likely to be the result of how Siri/iOS is designed to behave when a new or unknown contact is encountered. I don't have any unwanted texts on my phone at the moment to test this but I think there's a good chance the links and pictures you saw are simply the most recent things you shared with somebody. Apple might have decided it is better to always populate that screen with something, even if there's no interaction history to guide Siri/iOS. In any case, you can always ask a friend, family member, or colleague to send you a text from a "new" number and see what happens.