We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.
Fake receipt emails
First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:
[ New Statement ] Your receipt from Apple [ 02 February 2018 ]
End Date: Monday Feb-24-2020 9:44:42 PST
Buy It Now for only: $0.99
Buy It Now | Add to watch list
End Date: Wednesday Feb-19-2020 2:44:39 PST
Buy It Now for only: $11.55
Buy It Now | Add to watch list
In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.
Click to enlarge
The general rule of thumb is to try and be as inconspicuous as possible, so we’re not really sure why the scammers went with one of the most well-known privacy advocates on the planet to fill in the personal information box. Not only that, but they used a randomly-grabbed address from a property website sporting nine bedrooms and four bathrooms.
Maybe the plan is to hit the potential victim with something so utterly ludicrous, that they’ve already clicked the link before they’ve had time to think about it. For a lot of people, simply seeing a “Thanks for the order of this thing that costs you money” would be enough to have panic set in.
The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page.
Click to enlarge
The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.
Someone else logged in
Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.
Click to Enlarge
The email reads as follows:
[Reminder] [Notification Update] Statement new log-in your Apple account with other device
Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari
If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.
Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.
Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.
Apple care scare
There’s also some dubious texts going around claiming to be from Apple Care:
It reads as follows:
Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at
As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.
Fake app purchases
We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.
Be aware of Apple Phishing email! (See pic) I checked my payment source, & called Apple. They DO NOT have a link in the receipt emails. The order ID was a valid one from a purchase 2 months ago. (Not this purchase) #TeamEmmmmsie #TUGfam #MGC #AppleSupport pic.twitter.com/SZYY2YxS0q
— Rick92647 [TeEm] [TugFam] [MGC] (@Rick92647) February 5, 2018
While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.
If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.
The post Panic attack: Apple scams apply pressure appeared first on Malwarebytes Labs.
Click here for best antivirus and antispyware software
Powered by WPeMatico