Beware of Scam Obituary Sites and Fake iPhone Security Warnings

A long-time TidBITS reader contacted me yesterday in a slight panic. While searching for an obituary on his iPhone, he tapped on a possible result in the Google search results. The site he was sent to issued a series of dire warnings about how his iPhone had become infected.

He panicked slightly but immediately closed Safari and hoped for the best. However, 10 minutes later he received an email from 1Password informing him of logging in from a new device or browser extension. This threw him for a loop, so he contacted 1Password support, who confirmed it was a legitimate, coincidental message, seemingly unrelated to the malicious site visit.

I want to share how I helped reassure him that there was no reason to worry so you can repeat the process if you or someone you know is faced with a similar lure to web-based malware.

1Password Notification Review

I was first curious about the IP address identified by 1Password. When I asked my friend to check it using What’s My IP, he confirmed that it was indeed his IP address as the source of his new connection. This confirmed that it was at least one of his devices on his network, and not a malicious third party elsewhere on the internet.

While it’s not inconceivable that malware could have compromised one’s device and logged into 1Password from it, it’s quite unlikely due to an additional step required by 1Password: you need to both your account password and a secret key to log in. (The secret key is basically a secret key. randomly generated second password that is combined with the account password to create the encryption key that protects your data. It is only stored locally on your devices.) It is extremely unlikely that malware could have gotten it somehow. exfiltrated the secret key from local storage, decrypted it, and combined it with the account password to log in. Nothing is impossible, but malware with such a capability would be used against high-value targets by criminals or governments, not random people browsing the web.

I can’t explain why my friend received this notification when he didn’t manually sign in to 1Password on his iPhone or Mac. Research suggests that the message can be triggered by forcefully closing Safari, using iCloud Private Relay, clearing the browser’s cache or history, updating the 1Password extension, performing a dynamic IP address change (causing 1Password to think it is running on a new device or location), or updating 1Password or Safari. Unexplained 1Password notifications seem rare, so it’s not just these activities will trigger a connection notification, just so they could.

Malicious Website Investigation

Based on years of reading about iPhone security, I’m convinced that iOS is hardened against attacks from random websites. This is partly because Apple’s hardening efforts have been so effective that any ethically challenged person who discovered such an exploit would sell it for millions or use it for targeted attacks against crypto holders. high-level currency, for example. Normal people would report this to Apple.

So I repeated my friend’s Google search and found the site he clicked on as well as several others, all with article publication dates of November 13, 2024. The offending site was poorly built in WordPress and contains what appear to be AI-generated obituaries. You can see this from sentences like “His sudden passing (insert date) left those who knew him struggling with loss.” » Other signs include sketchy gambling advertisements on the pages and the fact that the name of the deceased changes between the title and the text. Oops.

Once loaded, the sites quickly began displaying dire alerts claiming that my iPhone had been compromised and suggesting a system cleaner app or VPN.

Tapping one of the links loaded a second page that was immediately redirected to a system cleaner or VPN app in the App Store. I don’t know if these apps are legitimate, although I have my suspicions. I may be willing to navigate to malicious sites in Safari, but I’m not reckless enough to install potentially malicious apps on an untested device.

I will not link to these apps, but I have reported them to Apple for investigation.

Lessons

What to learn from this experience?

• Coincidences happen: My friend was worried about the 1Password notification, but as far as I know, it was just a coincidence. Just because two events occur near each other does not necessarily mean they are related.
• Don’t panic: The Hitchhiker’s Guide to the Galaxy I was right: just because a website posts an alarm alert doesn’t mean something bad has happened. Scammers try to circumvent your rational mind by invoking fear and danger.
• Close the tab or window: To make the fraudulent website disappear, press the Safari tab button in the lower right corner of an iPhone or iPad and close the offending tab. On a Mac, close the window with Command-W. If you can’t get the tab button to appear on an iPhone or iPad, tap the very top of the page, which often reveals Safari’s framing.
• Don’t install random apps: If a website you haven’t visited intentionally suggests you install an app and then redirects you to the App Store, don’t do it. Although Apple reviews all apps in the App Store, its review process is far from foolproof. There are examples of legitimate apps being mistakenly rejected while questionable apps get through. You should always evaluate the trustworthiness of the app based on factors beyond its inclusion in the App Store.
• Obituaries are easily falsified: Perhaps the most disturbing aspect of this scam is the way it preys on grieving people, especially the elderly. Since obituaries are often relatively similar, they are easy to fake, and it would not be difficult to create a site that automatically generated obituaries for every name imaginable. (Sites that exploit obituaries to generate search traffic and thus ad impressions with bad AI-generated obituaries, including those of living people, are equally offensive.)

Stay alert out there.