Active Phishing Campaign steals Apple ID credentials and credit cards

The ESET Research Lab identified an email in which a new attempt to steal information associated with Apple ID login credentials and the credit card number associated with the same account is discovered.

Phishing campaigns, Social Engineering attack with the aim of fraudulently acquiring personal and/or confidential information where the scammer poses as a trusted person or company using an apparent official communication, are not Novelty. What ESET researchers highlight in particular is that fake mail is received shortly after a password recovery from the Apple ID service. This is an attack practice targeting customers who interact in some way with Apple ID, as happened recently with the campaign that attacked users who were victims of cell phone theft

The deception originates from the receipt of an email. Analyzing the message in detail highlights certain suspicious points: the sender despite identifying himself as ICloud, the email address does not match the official one, then it is noted that the mail is not addressed to a particular user but to “Dear Customer” and , finally, the impersonal signature and with drafting errors can account for the falseness of the shipment.

The fact that the user has ralized a recent password change in ICloud, can lead to dismissing the points of suspicion and following the instructions in the email. By accessing the “Review your account” button you are directed to another landing page.

The active page copies the current company credential management page perfectly, but its URL has nothing to do with the official site. If you continue with the deception you get to the point of requesting the login credentials.

When entering any test data, an alert window about the account lockout entered for security reasons. The user is then prompted for an unlock consisting of entering personal information, including credit card details linked to the account.

By entering all the data and continuing with the test in order to see if anything else happened. The system reports that the account was successfully verified and now redirects yes to Apple’s actual and official page.

“The fake page perfectly mimics the official site, but this is where you have to resort to good practices, and analyze that not only is you browsing on a site with SSL certificate, that the address starts with HTTPS, but also the certificate is issued to nombr (e) of the company it represents, as can be seen on the official site even to the right of the padlock, immediately appears the name of the company responsible for the certificate.”, says Luis Lubeck, Computer Security Specialist of ESET Latin America

According to ESET research there is no indication of a relationship between the user’s request for a change of key change and the receipt of phishing mail, but it would be a massive campaign, which seeks to attract users who interact with their account and this would lead to a message or control over the veracity of the message received.” As is often the case in targeted social engineering attacks, in this case criminals try to take advantage of the moment of vulnerability that the victim is going through, who would probably have been wrong for being aware of news regarding your account, a lethal combination when thinking about personal safety. Knowing the risks to which we are exposed allows us to take the necessary resources, such as paying attention to suspicious messages, having the systems updated and having a security solution to be able to enjoy the Internet in a safe way”, adds Lubeck.

From ESET it is recommended that you never click on the links without first verifying their provenance, their veracity and verifying that it is from an official site. In this case, manually access the iCloud site and check if the account is in order.

On the other hand, it is advisable to report these facts, such as the theft of personal data when we are victims of a phishing.