Man in the middle attack detected on IOs device (IPhone 8)

Hi Sophos Community,

In the last week I have been getting some "Man in the middle attack" notifications from my devices marked as "High Alert"

I've received four and all have similarities in behaviour:

  • All devices are IPhone 8 or IPhone 8 Plus
  • The time interval of the alets is from 9:08AM to 9:15AM

In two of the cases the attack type is an "SSL stripping" the other one "Content manipulation".

For further investigarion I've extracted the logs of the devices. In two cases the URL Manipulated was the same: https://login.aol.com/...

Is this a usual behaviour of IPhone 8? How could I get more info of this?

Greetings



Added TAGs
[edited by: Gladys at 9:20 AM (GMT -8) on 1 Dec 2022]
  • Hello,

    Thank you for reaching the community forum. This alert most likely came from a  Public Wifi or Hotspot. The attack has been stopped by Sophos mobile, so there's no harm to the device but for precaution, advise the users who get this alert to perform a password reset on their accounts which are currently log in to the device. 

    There are many forms of man-in-the-middle attacks. Here are just a few:

    Compromised public Wi-Fi. A hacker might eavesdrop on an unencrypted public Wi-Fi connection you’re using. Or they might create a fake public Wi-Fi hotspot (an “evil twin”) that mimics a legitimate hotspot. As soon as you log onto the fake hotspot, the hacker can intercept everything you send to a site and everything it sends back to you.

    1. Use Virtual Private Networks (VPNs) when you’re in a public place.
    2. Don’t visit sites that aren’t protected by secure HTTPS: look for HTTPS rather than HTTP in the web address. This isn’t foolproof, but it helps.
    3. Please stay away from websites when your browser warns they’re unsafe.
    4. Use multi-factor authentication on sites that offer you the option.
    5. Don’t click email links or open attachments you aren’t expecting.

    Ensure your home/office Wi-Fi network is protected with strong passwords and encryption. For example, use WPA2-PSK (AES) encryption, not WEP-64, WEP-128, or WPA-PSK.

    For more details, you may refer to this documentation about Wi-Fi Security

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • In this case it is a private Wifi located in a mountain far away from any city.

    The attack could be internal but it is extremately unprobable taking into account the security measures in this network.

    Also the fact that 3 of the devices are IPhone8 is very suspicious. The last case was into a diferent network almost at the same time, again an IPhone 8 Plus.

    I will consider your recommendation with the security of these wifis, however I need more information on these alerts regarding these devices.