According to researchers at Cisco Talos Intelligence, there is a website that is capitalizing on a flaw in legacy iOS to trick iPhone users. The website, named Checkrain, promises to help users leverage the Checkm8 vulnerability to jailbreak their iPhone. In actuality, the only thing that users looking to jailbreak get from Checkrain is a nasty infection and a headache to follow in trying to clean their system.
Cisco Talos researchers state the following about the infection process in their blog post:
With this fake Checkrain[.]com iOS jailbreak, the user is asked to install a “mobileconfig” profile on their iOS device obtained from hxxps://Checkrain[.]com/checkra1n.mobileconfig note the SSL certificate used is LetsEncrypt generated certificate and also the name “checkra1n” is the real name of the available jailbreak. The real checkra1n website does not use an SSL certificate. This is another step the actor has most likely employed in an attempt to draw the user in.
Once the app is downloaded and installed, a Checkrain icon appears on the user’s iOS springboard. The icon is in fact a kind of bookmark to connect on a URL. This icon may look like an app from the user’s perspective, but it actually doesn’t work like one at all on the system level... you will notice multiple redirects occurring on the user’s iOS device. This ultimately occurs in click-fraud, resulting in multiple verification chains and then finishing on an iOS game install, with in-app purchases available. The chain used in this processes through several ad-tracking, verification, geolocation and, finally, campaign delivery. In this case, it downloads from the Apple store an iOS app called “POP! Slots,” a slot machine game.
The fact that Checkrain can leverage a LetsEncrypt SSL certificate lends credibility to the website which is, of course, a massive issue that devs at LetsEncrypt should fix. This is not the first, nor the last likely, time that LetsEncrypt has issued SSL certificates to malicious websites and this is a huge issue. It is likely that this, along with iPhone users not doing their homework on a website, has allowed a decent amount of individuals to fall victim to this clickjacking scheme. According to Cisco Talos, the vast majority of victims of Checkrain appear to be localized to the United States. Other countries have been targeted by this scheme, however, including the United Kingdom, France, Nigeria, Iraq, Vietnam, Venezuela, Egypt, Georgia, Australia, Canada, Turkey, Netherlands, and Italy.
Take extra care when trying to jailbreak your iPhone, else you wind up like these unlucky folks.
Featured image: Flickr/Miki Uchida