Cisco Talos recently discovered that cybercriminals have created a bogus website to take advantage of users trying to jailbreak their iPhones.
However, instead of freeing a user's device, the site simply invites users to download a malicious profile that attackers then use to perform click fraud.
Checkm8 is a boot vulnerability that affects all legacy iPhone models, from 4S to X. The campaign discovered by Cisco Talos tries to take advantage of a project called Checkrain, which uses the checkm8 vulnerability to change the boot of an iPhone and load an image with jailbreak. on the device
The Checkm8 vulnerability can be exploited with the help of an open source tool called "ipwndfu" developed by AxiomX, but the attackers monitored by Cisco Talos run a malicious website called checkrain.com that targets users at the same time. look for the legitimate control chain project.
CheckRain
The fake Checkrain site tries to appear legitimate by claiming that it works with popular unlocking search engines like "CoolStar" and Ian Beer from Google Project Zero. The page asks users to download an application to unlock their phone, but there is no application because the attackers try to install a malicious profile on the end-user device.
When a user visits the fake website for the first time, a download button appears. Cisco Talos has identified several issues with the site, including mention of A13 devices not vulnerable to Checkm8, indicating that the website is not legitimate.
Also, the website indicates that users can install the Checkrain jailbreak without using a PC, but in fact the Checkm8 exploit requires the iOS device to be in DFU mode and exploitable with the help of an Apple USB cable. . Another tip: the fake verification check site uses a LetsEncrypt SSL certificate, while the current site doesn't even have an SSL certificate.
Once you have clicked the download button, an application with a control restriction icon is downloaded and installed on a user's iPhone. However, although the icon may look like a normal application, it is actually a placeholder to connect to a URL.
Instead of providing users with a true jailbreak, the threat actors behind this campaign are using their devices to commit click fraud.
As tempting as a jailbroken device may seem, trying to exploit the Checkm8 vulnerability could open your device and data to hackers.