A few days ago I was trying to watch some sport streams on my iPhone from a less than legitimate source. I click on a stream link and as per usual I get bumped to a new tab so that I can be bombarded with ads. True to the nature of the site I’m using I get hit with similarly sketchy ads but, this particular ad page was dodgier than usual with many pop-up and alerts. At the exact same time as the webpage loads I got a text message, not an iMessage, trying to phish details from the website that citizens of my country use for interacting with federal government programs (welfare, taxation etc). The timing was so exact that I have no doubt that the website was the cause and now I’m also starting to get spam calls as well.
I didn’t click anything when the ad page loaded up, and I never provided my phone number to any of the sites mentioned. So I’m curious as to how they got my number to send me the phishing text. Is it possible for a website to get your phone number via a safari API. Did the website exploit a previously unknown zeroday? Or maybe ad network fingerprinting is so advanced that they could just combine the ad profile they (likely) have on me with a number they got from another source? What do you guys think?
PS: I was using an iPhone 16PM on iOS 18.0.1. I restarted my phone after this occurred, and I absolutely did not interact with the phishing text.
I didn’t click anything when the ad page loaded up, and I never provided my phone number to any of the sites mentioned. So I’m curious as to how they got my number to send me the phishing text. Is it possible for a website to get your phone number via a safari API. Did the website exploit a previously unknown zeroday? Or maybe ad network fingerprinting is so advanced that they could just combine the ad profile they (likely) have on me with a number they got from another source? What do you guys think?
PS: I was using an iPhone 16PM on iOS 18.0.1. I restarted my phone after this occurred, and I absolutely did not interact with the phishing text.
