This morning, I launched the DirecTV app on my iPhone (connected to my home network via wifi).
On launch, I saw a login screen that looked slightly different than usual; the app had been updated recently, so I assumed it was the new login screen. But when I entered my user name and password (on the first attempt), I saw the screen to the right…
At this point, alarm bells went off. Not just because it was my first attempted login, but also due to the grammar of that last sentence:
“Please, contact AT&T operator.”
That’s wrong in many ways—and there’s no provided method for contacting an AT&T operator. I now believed I had been scammed: Somehow, a fake login page was injected where the app would normally display its login screen. As soon as I pressed Enter after entering my password, I’m sure my username and password were sent off to some server somewhere.
I immediately opened the DirecTV web site on my Mac, logged in (using my supposedly-locked account and current password), and changed my password. That all worked, and I received the email stating I’d changed my password, so I’m pretty sure my account is fine. (And I use unique passwords for each service, so the one that was probably compromised is useless to the hackers.)
But the bigger question here is what happened and how did it happen?
After I changed my password, I returned to the iOS device and tapped OK. I then saw the normal DirecTV login screen, as seen at right, furthering my feelings that the original screen was a scam. I logged in with my newly-changed password, and the app worked as normal.
Although my account seems to be safe now, I’m stumped as to how this happened: I wasn’t visiting a web site, I was using an app. How could someone interject a screen into the app itself?
I thought about DNS injection as a possibility, but my phone is using CloudFlare’s DNS (22.214.171.124 and 126.96.36.199), with Google (188.8.131.52) for DNS providers; I find it unlikely to think they’ve been compromised. Unfortunately, I don’t have any idea what URLs the login screen may be trying to reach, nor do I have an easy way to capture and analyze that data.
But if it’s not DNS injection, then what could it be? Could someone have, somehow, modified the actual binary? If so, I’d think I’d see the dummy page on every login attempt, but I don’t—I only saw it that one time. I’ve tried to get it show up again, going so far as logging out of the app, force quitting the app, shutting down the phone, and logging in again. But no joy: I just get the usual login screen.
My other thought is that someone must have modified something at the AT&T end to cause a page to load that’s not the one the app is expecting to load…but that sounds nearly as low-chance as Cloudflare having been poisoned.
There is one remaining oddity with the DirecTV app: It takes a long time to load, and partially through loading, it switches to a full-black screen with a simple spinning progress indicator in the middle:
All in all, this is very strange, and I’d love to figure out what happened. If anyone has any ideas or people I could contact, please let me know.