Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.
Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:
Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.
As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:
We’ve identified a total of 110 compromised sites, all of hosted at the IP address 22.214.171.124, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.
The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
Read the rest of this entry »