Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.
Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:
Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.
As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:
We’ve identified a total of 110 compromised sites, all of hosted at the IP address 126.96.36.199, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.
The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.
One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:
The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites.
For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection.
In case you’re using mobile devices to manage your Apple ID or other parts of your online activities, you may read our ebook about avoiding bad mobile URLs to help protect yourself. We have blocked all sites and messages related to these attacks.
with additional inputs from Mark Aquino
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.