Today, I received an email from Apple telling me that there was a change in my account information. Seeing that I had already changed it a few weeks ago, I was rather curious to see what this email from “Apple” had to say. After opening the message, I was surprised to see an uncanny and almost identical resemblance with the legitimate email from Apple I got a few weeks back. See the side-by-side comparisons below:
There are few modifications in the body text in the spammed message. Also, it was sent by email@example.com via smtp.com, which means that Gmail detected that the email might have been sent using a third-party email service. Even more curious, I clicked the link in the email that supposedly signs in to your Apple ID. I found that it pointed to a site that tries to mirror the legitimate Apple site; only the glaring difference was that this one had advertisements at the bottom of the page.
I sought help from one of our engineers and as it turns out, the “Apple” site was indeed a phishing page hosted on a free hosting site. It tells users to input their Apple IDs and passwords while the information is later on sent to the phishers. This simple spammed message shows how easy it is to stage attacks nowadays- with minimum investment and considerable returns, phishers now have access to users’ App store info which includes users’ credit card information, home addresses, and phone numbers. You don’t even have to pay to host your server.
Phishing attacks like this don’t need a lot of storage as it only stores the Apple credentials and is limited only to Apple users. It may only be as simple as a spammed message, but the outcome isn’t any different from your typical infostealing malware today that need to install themselves into systems. Furthermore, with the Apple’s market steadily growing, cybercriminals may now be more interested in these Apple accounts and the stolen credentials may be sold underground to other crooks for a good price.
Always be wary of the littlest details in your email that may strike you as suspicious. Check and double check embedded URLs, delete spammed messages, and never underestimate the endless possibilities of cybercrime.
Big thanks to Roland Dela Paz for helping out with the analysis and additional insights.