Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

iOS Mail app hacked; spam email account installed

Defthand

macrumors 65816
Original poster
Sep 1, 2010
1,351
1,711
Has anyone experienced the following? My partner's iPad Mail app was hacked. A spam email account, calling itself "Senior Discounts", was installed on her iPad's Mail app. The ability to sign out/delete the unwanted email account is disabled. Her only recourse was to reset the iPad to its factory settings and restore her apps and content manually. Below is a screen capture of the account info.

I'm reporting the experience here since Apple's Support portal doesn't have a discoverable link to report such concerns. Nor would Apple's communities allow me to post the experience. (The latter concerns me. Within its "walled garden", Apple is censoring any unflattering experiences with its products.)

IMG_4908.PNG
 

chabig

macrumors 604
Sep 6, 2002
7,250
4,524
Someone probably had physical control of the iPad and added that account. It could be prevented from being deleted by locking account settings in Settings > General > Restrictions. Have him/her more carefully control who uses the iPad, and consider settings your own restrictions on accounts.
 
Comment

chrfr

macrumors G4
Jul 11, 2009
10,183
3,896
Has anyone experienced the following? My partner's iPad Mail app was hacked. A spam email account, calling itself "Senior Discounts", was installed on her iPad's Mail app. The ability to sign out/delete the unwanted email account is disabled. Her only recourse was to reset the iPad to its factory settings and restore her apps and content manually. Below is a screen capture of the account info.

I'm reporting the experience here since Apple's Support portal doesn't have a discoverable link to report such concerns. Nor would Apple's communities allow me to post the experience. (The latter concerns me. Within its "walled garden", Apple is censoring any unflattering experiences with its products.)

View attachment 761925
The Mail app wasn't hacked. Your partner would have most likely gone to a website that had a download to install a configuration profile which set up this email account.
If the device hadn't been wiped, you'd be able to find the configuration profile this way and remove it:
Look in the settings app under General/Profiles & Device Management and you'll see a profile which should be deleted.
See here for more information: https://discussions.apple.com/thread/7477021
 
Comment

Defthand

macrumors 65816
Original poster
Sep 1, 2010
1,351
1,711
The Mail app wasn't hacked. Your partner would have most likely gone to a website that had a download to install a configuration profile which set up this email account.
If the device hadn't been wiped, you'd be able to find the configuration profile this way and remove it:
Look in the settings app under General/Profiles & Device Management and you'll see a profile which should be deleted.
See here for more information: https://discussions.apple.com/thread/7477021

That is the likely explanation.

We wiped the device before your post. I don't see a Profiles & Device Management field within Settings>General. We found the offensive account within Settings>Accounts & Passwords. However, unlike her iCloud account, this one couldn't be signed out of or deleted. In that respect, the spam account is a hack.
 
Comment

chrfr

macrumors G4
Jul 11, 2009
10,183
3,896
That is the likely explanation.

We wiped the device before your post. I don't see a Profiles & Device Management field within Settings>General. We found the offensive account within Settings>Accounts & Passwords. However, unlike her iCloud account, this one couldn't be signed out of or deleted. In that respect, the spam account is a hack.
You couldn't delete or modify the account because it was added via a configuration profile. In iOS, unless you have profiles installed, you won't see the option for profile settings, so once you wiped the device you'd no longer see anything there.
The user would have had to manually approve the installation of the configuration profile in order for it to be installed. Of course, most users have no idea what a configuration profile is, and as such shouldn't blindly approve installations, but that's now how people think.
Configuration profiles in iOS (or macOS) give the author of the profile very expansive and possibly destructive access to the device and data so installation of unknown profiles should always be denied.
 
Comment

Defthand

macrumors 65816
Original poster
Sep 1, 2010
1,351
1,711
You couldn't delete or modify the account because it was added via a configuration profile. In iOS, unless you have profiles installed, you won't see the option for profile settings, so once you wiped the device you'd no longer see anything there.
The user would have had to manually approve the installation of the configuration profile in order for it to be installed. Of course, most users have no idea what a configuration profile is, and as such shouldn't blindly approve installations, but that's now how people think.
Configuration profiles in iOS (or macOS) give the author of the profile very expansive and possibly destructive access to the device and data so installation of unknown profiles should always be denied.
Thank You for the lesson. What is the purpose of profiles, particularly multi ones?
 
Comment

chrfr

macrumors G4
Jul 11, 2009
10,183
3,896
Thank You for the lesson. What is the purpose of profiles, particularly multi ones?
They're typically used in corporate environments to configure items on devices, like wifi connections, email accounts, security requirements, and all sorts of settings on a device. Some ISPs like Comcast distribute a configuration profile to make it simpler to connect your device to their wifi networks.
 
Comment

macduke

macrumors G4
Jun 27, 2007
11,159
15,116
Central U.S.
Didn't know this was a thing. Apple should give an extra warning or require signing of anything installed via Safari. Or just block installation of these profiles in Safari by default.
 
Comment

C DM

macrumors Sandy Bridge
Oct 17, 2011
50,839
19,021
Didn't know this was a thing. Apple should give an extra warning or require signing of anything installed via Safari. Or just block installation of these profiles in Safari by default.
Well, profiles do require user acceptance to be installed.
 
Comment

macduke

macrumors G4
Jun 27, 2007
11,159
15,116
Central U.S.
Well, profiles do require user acceptance to be installed.
Yeah, but as someone who has done a lot of UX work, something that can seriously cause problems like this shouldn't be a one tap to accept affair. Defaults matter and defaulting Safari to not accept these profiles (with the ability to override these settings when a device is provisioned for whatever edge-case scenario) means that over 99% of users won't ever have this happen to them, lowering the attack vector and making it unlikely that anyone would still continue to keep up with this exploit in the future which makes the <1% safer as well.
 
  • Like
Reactions: GreyOS
Comment

campyguy

macrumors 68040
Mar 21, 2014
3,413
953
OP, what you're describing is nothing new. I run a small company with around 50 employees and most of them carry an iPhone and a cellular iPad. I keep up on the latest scams so my employees don't have to, I started seeing chatter like this on the interwebs around 2 years ago. The two employees that succumbed to exactly what you're describing had one setting in common - they brought their own device and added my company's credentials (I was on vacation at the time).

Both employees had the "load remote images" setting enabled, which is against my company policy. Both of them insisted that they did not install or accept a profile, and I believed them as it was along the lines of what I was reading online at the time. Multiple times I've intercepted TIFF images with embedded code, going back 15 years. With my other employees who abide by my restrictions, I've never had an issue like the one you've described. Google "take over ipad email senior discounts" and you'll get an idea of how far back this bit goes...
 
Comment

C DM

macrumors Sandy Bridge
Oct 17, 2011
50,839
19,021
Yeah, but as someone who has done a lot of UX work, something that can seriously cause problems like this shouldn't be a one tap to accept affair. Defaults matter and defaulting Safari to not accept these profiles (with the ability to override these settings when a device is provisioned for whatever edge-case scenario) means that over 99% of users won't ever have this happen to them, lowering the attack vector and making it unlikely that anyone would still continue to keep up with this exploit in the future which makes the <1% safer as well.
I could be recalling it wrong, but I think passcode is also required for installation (assuming the device uses one).
[doublepost=1526508995][/doublepost]
OP, what you're describing is nothing new. I run a small company with around 50 employees and most of them carry an iPhone and a cellular iPad. I keep up on the latest scams so my employees don't have to, I started seeing chatter like this on the interwebs around 2 years ago. The two employees that succumbed to exactly what you're describing had one setting in common - they brought their own device and added my company's credentials (I was on vacation at the time).

Both employees had the "load remote images" setting enabled, which is against my company policy. Both of them insisted that they did not install or accept a profile, and I believed them as it was along the lines of what I was reading online at the time. Multiple times I've intercepted TIFF images with embedded code, going back 15 years. With my other employees who abide by my restrictions, I've never had an issue like the one you've described. Google "take over ipad email senior discounts" and you'll get an idea of how far back this bit goes...
I don't think there's any sort of automatic profile installation in iOS, especially via "load remote images" option in email.
 
Comment

cmaier

macrumors Core
Jul 25, 2007
19,713
20,634
California
Yeah, but as someone who has done a lot of UX work, something that can seriously cause problems like this shouldn't be a one tap to accept affair. Defaults matter and defaulting Safari to not accept these profiles (with the ability to override these settings when a device is provisioned for whatever edge-case scenario) means that over 99% of users won't ever have this happen to them, lowering the attack vector and making it unlikely that anyone would still continue to keep up with this exploit in the future which makes the <1% safer as well.
It's not one click. You have to enter your PIN or authenticate, and you are told beforehand what the profile does.
 
  • Like
Reactions: macduke
Comment

macduke

macrumors G4
Jun 27, 2007
11,159
15,116
Central U.S.
I could be recalling it wrong, but I think passcode is also required for installation (assuming the device uses one).
I can't remember either. I know I get a lot of carrier updates for T-Mobile and so maybe customers get confused and think it's something like that? Wonder if these people are spoofing carrier update messages by using misleading text.
 
Comment

campyguy

macrumors 68040
Mar 21, 2014
3,413
953
I don't think there's any sort of automatic profile installation in iOS, especially via "load remote images" option in email.
There isn't that I'm aware of, agreed. It's a process of accepting, installing, rebooting - that much most of us know. Having coded a bit myself I know it's easy to wreak havoc, and none of us know iOS like Apple. And hackers...
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.