Following reports of Apple IDs being compromised and devices being held for ransom in Australia and New Zealand, Apple issued a statement to ZDNet proclaiming that their iCloud infrastructure had not been breached. They went on to warn users to “change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.” Symantec would like to advise owners of Apple devices to keep an eye out for emails attempting to phish for Apple ID login credentials.
Going phishing for Apple IDs
While there have been no confirmed reports as to how these Apple IDs were compromised, one possible explanation is phishing scams. Due to all the media attention this event has received, Symantec is cautioning users to be skeptical of emails claiming to be from Apple. This event presents scammers with more credibility when attempting to phish for Apple IDs, especially now that many users are concerned about the safety and security of their Apple IDs and devices.
What does an Apple ID phishing email look like?
Figure 1. Example of an Apple ID phishing email from early May
There are a number of different Apple ID phishing emails that have been in circulation in recent months. The emails adopt some of the following subject lines:
- Please update your Apple account now
- Apple – Your Account Is Not Confirmed
- Please Verify Account Information For Your Apple ID
- please verify the email address associated with your Apple ID
These subjects are used to trick users into opening emails, improving the odds that they may click on the links within them.
What does an Apple ID phishing page look like?
If a user clicks on a link within the phishing email, they are directed to a Web page that on the surface looks like the real My Apple ID page. However, if users check the address bar, they will see a suspicious URL for a website that is not secure (HTTPS), which should raise suspicion.
Figure 2. Example of an Apple ID phishing Web page
Once the attacker harvests the Apple ID login and password, they direct users to a second phishing page that asks for financial and personal information, such as credit card number, date of birth, and a security question.
Figure 3. Apple ID phishing page requests financial details
Once this information has been submitted, the user is directed back to the real Apple.com. However, their Apple ID along with their personal and financial details have now been compromised.
Localized phishing for Apple IDs
In addition to the English language phishing sites, we have also observed instances of Apple ID phishing sites localized for targets in other countries.
Figure 4. Apple ID phishing page localized for China
Figure 5. Apple ID phishing page localized for Italy
In addition to these localized versions, we found some Apple ID phishing sites that require a target to select his or her country to make sure they are served the correct, localized phishing page.
Figure 6. Apple ID phishing page asks users to select localized version
These countries include the United Kingdom, the United States, Canada, Italy, Germany and Other, which is just another English version of the phishing page.
Ways to prevent Apple ID phishing
- Watch out for suspicious emails. If you receive an email claiming that your Apple ID has been disabled or that you need to update your information, do not click on the link within the message. Open up a browser tab and browse to apple.com instead.
- Pay attention to the address bar. If you happen to click on a link in an email, look closely at the URL in your address bar. If the URL looks suspicious, like the examples shown in this blog, do not type in your Apple ID and password. In modern browsers, look for the green lock symbol and “Apple Inc.” to confirm you are on the real Apple website.
- Enable two step verification for your Apple ID. With two step verification enabled, if your Apple ID is phished, an attacker cannot log in to your account without obtaining physical access to your cellphone or other trusted devices.