A phishing campaign targeting Apple users is attempting to trick victims into updating their profiles under the guise it’s a part of proactive security hardening prepping for the introduction of General Data Protection Regulation (GDPR) policies set to go into effect on May 25. The phishing campaign’s objective is to con victims into disclosing Apple account credentials in order to scoop up personal details – including credit card and Apple account information.
“On April 30, we detected a new Apple ID phishing scam using a known social engineering tactic —threatening to suspend a service to pressure users into divulging personal details,” wrote Trend Micro researchers in a blog post about the scam last week. “Multisite login details, like an Apple ID and corresponding password, are valuable because they can give an attacker access to all the applications linked to that account.”
The phishing email purports to be a legitimate email from Apple. The email notifies victims that their Apple account has been “limited” due to unusual activity and urges them to update their payment details via a link.
The link opens to a fake Apple website that looked like the legitimate website in most respects – even containing the same background image as the real Apple site – but with a different URL.
Researchers said that the malicious website was offline at the time of its report.
From there, users were prompted enter their Apple IDs and passwords. When users put in their information, the website offers a standard message telling them their account has been locked, and offering a button to unlock it.
The “Unlock Account Now” button is linked to a malicious site that collects user data. This site asks for a slew of personal information like name, date of birth, address, and credit card details.
In addition to looking legitimate, this website appeared to be more sophisticated than most phishing sites due in part to the web directory permissions being set correctly, researchers noted: “Malicious actors usually use free hosting sites for their phishing scams since they expect them to have short lifespans, and they don’t put any effort into securing web server files,” they said in the post. “Because of this, it is typically easy to obtain information from phishing attacks and related sites; sometimes even the stolen data is accessible. In this case, the web directory permissions were set correctly, so we were not able to access that information.”
After all personal and account information fields were filled in, the site informed victims they would be logged out for security reasons and forwarded the user to the legitimate Apple website.
Strengths – And Mistakes
Like many phishing emails, the initial emails sent to users had big red flags – including, most notably, the fact that the emails were sent to some victims who were not using Apple products.
“It was sent to a person who was not using Apple products, and if there was suspicious activity why would a customer need to update payment details? Upon checking, we also saw that the button linked to a site that is not related to the Apple domain name,” said researchers.
However, beyond that the campaign did show worrisome sophisticated measures – including the tricks listed above surrounding the legitimate-looking Apple spoof website. And beyond that, the bad actors used other sophisticated methods – including encrypting the spoof site using Advanced Encryption Standard (AES) – allowing it to bypass some anti-phishing tools embedded in antivirus solutions.
“Using AES for this kind of obfuscation is unusual for a phishing scam because… usually these malicious actors are more concerned with operations rather than security or evasion,” said the researchers.