With recent reports that Apple customers in China have been targeted with man-in-the-middle attacks by hackers hoping to obtain user Apple ID information from those who tried visit Apple’s official iCloud website, Apple has released today a new security support document to help users identify if the site they’re browsing is legitimate. The man-in-the-middle attacks attempt to phish or intercept account usernames and passwords by discreetly redirecting users to a fake iCloud.com site when they attempted to visit the legitimate site.
“Apple is deeply committed to protecting our customers’ privacy and security. We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.”
The guide reminds users that the legitimate iCloud.com website is protected with a digital certificate that users can check and confirm to prove that they’re visiting a safe site. Apple tells users to never input their username and passwords into websites that display an invalid certificate warning and the certificate may be easily verified as legitimate or invalid on a number of browsers including Safari, Chrome, and Firefox.
Safari users are asked to check to make sure that a green lock icon is seen on the toolbar next to the website’s URL or website title. Clicking the green lock will reveal a dialogue saying either “Safari is using an encrypted connection to www.icloud.com.” to indicate a secure and legitimate iCloud.com site or “Safari can’t verify the identity of the website.” for an unsafe one.
Chrome and Firefox users will see a similar green lock on their URL bars beside the website title that, when clicked, will display the site as verified if the certificate is legitimate. If the website isn’t secure, a message saying “Your connection is not private.” will be displayed for Chrome and “This Connection is Untrusted” for Firefox.
As with the gigantic fiasco when iCloud user accounts were hacked recently, Apple reminds and recommends that users activate 2-factor verification to protect their accounts in the event that their usernames and passwords are stolen.