A Devious Phishing Scam Targets Apple App Store Customers

Credit to Author: Brian Barrett| Date: Wed, 19 Dec 2018 21:50:31 +0000

Phishing scams often come in waves. Last year it was a phony Google Docs link and a convincing Netflix impersonator, both of which had plagued the internet sporadically for months, at least, before seeing big surges. This month, it's a bogus Apple App Store email that convinces its victims to cough up all kinds of personal information.

First reported by Bleeping Computer, the phishing campaign doesn't contain any especially novel elements, but it executes the basics well enough that it's easy to be fooled.

Like so many phishing efforts, it starts with an email purporting to be something that it's not. Specifically, it claims to be a purchase confirmation from Apple, with a PDF attached posing as a receipt. If your first thought is that opening that attachment is a no-good, terrible idea, you are correct! But maybe not for the reasons you suspect. There's no malware in the file itself, but the somewhat convincing PDF contains several links with shortened URLs. Click on any of them, and you're sent to a site that mimics Apple's actual account management page, prompting you to enter your username and password.

"They're able to bypass email filters more effectively, since there are no malicious links in the email itself."

Crane Hassold, Agari

If you do so, a prompt tells you that your account has been locked for security reasons and offers an Unlock Account button. Click it and you'll be prompted to input your name, address, Social Security number, payment info, answers to common security questions, even your driver's license and passport number. In other words, everything an identity thief could possibly need to upend your life.

In one final clever touch, after you submit your information, the faux Apple site says it will log you out for security—then sends you to a legitimate Apple account management page.

That sort of full-circle approach makes it a terribly convincing phishing effort. It even comes with an implicit narrative: If you get an email about a suspicious app purchase, you might assume your Apple account has been hacked, which in turn might motivate you to "unlock" it by proving your identity.

This particular phishing effort appears to have been around for a while, but it has increased in popularity along with other attachment-based scams. "The likely reason they're becoming more common is because they're able to bypass email filters more effectively, since there are no malicious links in the email itself and the PDF isn't an inherently malicious document," says Crane Hassold, a threat intelligence manager at security firm Agari.

The App Store scam is also indicative of other phishing trends, particularly in terms of how it has propagated. "It's likely a bunch of phishers using a single phishing kit that was created and distributed by a single actor," Hassold says. "That's essentially how the phishing ecosystem works. You have a relatively small number of actors who create phishing kits—the collection of files needed to create a phishing page—who then distribute them through social media, underground forums, or their own vendor webpages."

As in any phishing scheme, there are a few simple ways to keep yourself safe. You can confirm the real identity of an email's sender (in Gmail, click the downward-facing arrow next to your name). And if you need to enter any of your information on a site, for whatever reason, go there by typing the address directly rather than clicking on a link from an email or attachment. And in this specific case, look closely at your URL bar. The scammers apparently haven't put much effort into making them appear legitimate.

Eventually, the App Store phishing scam will give way to another one, just like the Netflix and Google Docs campaigns did. But the tricks it uses won't. So take the lessons now and be ready use them every time you visit your inbox.

Additional reporting by Lily Hay Newman.

https://www.wired.com/category/security/feed/