Spam and phishing mail

Apple of discord

As Apple’s popularity grows, so does the desire among fraudsters to make money from the people who own the company’s devices. The cybercriminals are aiming to steal Apple ID data which provides access to users’ personal information stored in iCloud (e.g., photographs, contacts, documents, email, etc.) as well as to the purchases made in the company’s iTunes Store. Many malicious users go further and try to the steal bank card details used to pay for those purchases.

The scammers make use of phishing sites that imitate the official apple.com site. Since the beginning of 2012 until the present time this has resulted in a significant increase in the number of web antivirus detections triggered by users of our products attempting to visit such sites. During that period we have seen on average around 200,000 detections per day. By contrast, in 2011 the figure stood at around 1,000 detections per day.

Apple of discord

Heuristic analyzer detections from January 2012 to May 2013 (detections per day)

On some days the number of web antivirus detections for fake apple.com phishing sites exceeded the daily average by several times. There were a number of peaks, the most significant of which occurred on December 6, 2012 (939,549 detections) and May 1, 2013 (856,025 detections). This periodic surge in cybercriminal activity and the resulting increase in web antivirus detections can be put down to important events in the life of Apple. For example, December’s peak occurred immediately after the iTunes Store opened in Russia, Turkey, India, South Africa and 52 other countries around the world.

How do users end up on fake sites? One of the most popular methods is to use spam to spread links to phishing sites. For example, cybercriminals send out emails on behalf of Apple in which they ask the recipient to confirm their account by following a link in the message. The link leads to a fake website where users are asked to enter their Apple ID and password – this data is then stolen by the cybercriminals and used for their own ends.

Here’s one example of a fraudulent message containing a link to a phishing site:

Apple of discord

As you can see, the scammers have made a pretty good job of it – the language of the message sounds official and the ‘sender’ field contains the fake address service@apple.com. The email was actually sent from another address that is hidden from the recipient. When the cursor is placed over the link you can see that it clearly does not direct to apple.com

Here’s another example of a phishing email in which the senders have passed themselves off as Apple customer support:

Apple of discord

The authors of this scam letter have been even more thorough in their approach: they have added a background with the Apple logo, a link to an FAQ and even signed as ‘Apple Customer Support’. The only thing that marks it out as a fake is the lack of the recipient’s name at the beginning of the letter.

The page that the recipient is directed to from these phishing messages usually imitates the official pages of the Apple website very accurately, and all the contents in the fake page’s links redirect to apple.com pages.

Apple of discord

Sample phishing pages showing the tricks used by cybercriminals – those tricks and the real domains are underlined in red

In the examples above the address line is the giveaway: it may contain ‘apple.com’ in one form or another, but even a less experienced user could spot the fake address. However, if the site is opened in a Safari mobile browser on an iPhone or iPad, the user may not look at the address line as it is hidden from view once the page is downloaded. The scammers can also add additional elements to a page such as an image showing an address line with the legitimate address. This element takes the place of the real address line and is meant to trick recipients.

The following image shows a fake page that tries to steal bank card details on the pretext of linking your card to your Apple ID:

apple_phishing_05

As you can see, the fraudsters were looking to get as much info as possible – from the card number to the CVC. With those details they can conduct just about any transaction with your card.

To safeguard your account you can activate two-factor authentication for Apple ID, with a four-digit verification code sent to one or more trusted devices. This two-step verification process makes unauthorized access or account modifications impossible on the My Apple ID site and prevents any purchases being made via your account by third parties. However, it doesn’t protect you from losing money if you provide the cybercriminals with your bank details. Therefore, if you receive a message in the name of Apple or one of its employees, be careful: it’s worth calling the technical support people at the company to make absolutely sure it is legitimate. Also, you should avoid following any links included in such messages; it’s best to enter the relevant address into the address line yourself. And if you do follow the link, carefully check the page contents and check the address that appears in the browser. By following these simple rules you can keep your data safe and avoid falling victim to the scammers.

Apple of discord

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox