Hackers used fake Apple pages to break into iCloud backups
Three cybersecurity organizations recently pulled back the curtain on a years-long hacking campaign targeting journalists, activists, and officials across the Middle East, North Africa, and potentially the US and UK. A new report traces the operation back to a hack-for-hire group with ties to an Indian surveillance company.
The technique was surprisingly low-tech, though. Attackers built fake Apple login pages to steal Apple ID credentials, giving them full access to victims’ iCloud backups: photos, messages, contacts, everything. Researchers found nearly 1,500 fake web addresses impersonating iCloud, FaceTime, and Apple sign-in pages.
Login pages almost identical to the iCloud login page are created to fool victims. | Image by Apple
Android users weren’t safe either
On the Android side, attackers used spyware called ProSpy, disguised as popular apps like Signal, WhatsApp, and Zoom. Once installed, ProSpy could quietly monitor messages, access the microphone and camera, and track the device.
No fancy exploits, no million-dollar spyware tools. Just convincing fake pages and phony apps that prey on a moment of inattention, and that’s what makes this so unsettling.
Why this matters to every phone owner
While this campaign focused on high-profile targets, the playbook trickles down to everyday scams fast. Hack-for-hire groups are reportedly cheaper than commercial spyware, meaning outsourced hacking like this is only becoming more common. We’ve covered similar phishing threats before, and they keep working because people keep falling for them.It should be noted that this exposes something people don’t like hearing: iCloud’s encryption and Apple’s privacy marketing don’t protect you if you type your password into a fake page. The weakest link in your phone’s security has always been you. Turn on two-factor authentication for your Apple ID and Google account if you haven’t, and never click login links from unexpected texts or emails.
Fake login pages remain the most dangerous weapon against your phone
I’ll be honest, it’s frustrating that we’re still having this conversation in 2026. Apple and Google have poured billions into device security, yet a well-crafted fake webpage remains the most effective attack out there. Don’t panic, but stay skeptical. If an unexpected message asks for your login info, treat it as suspicious, because your phone is only as secure as your ability to spot a fake.
Click Here For The Original Source.
