GDPR Phishing Scam That Targets Apple Accounts and Steals Data
Here’s news about a phishing campaign that was targeting Apple users and taking advantage of the EU GDPR (General Data Protection Regulation) policies set to go into effect on May 25.
Companies today have started handling users’ data in a rather careful manner, with the many data breaches that have happened in the recent past plus the upcoming GDPR. These companies now send emails to their users asking them to update their profiles or to strengthen security. Cyber criminals too are now beginning to take advantage of this situation, impersonating major companies and sending phishing emails to users. These emails come masquerading as legitimate “user policy update” emails coming from the companies. The phishing scam that we discuss today is the latest in the series.
Researchers at Trend Micro recently detected this new phishing scam targeting Apple users; in a detailed blog post about the scam, Jindrich Karasek of Trend Micro lab writes- “On April 30, we detected a new Apple ID phishing scam using a known social engineering tactic —threatening to suspend a service to pressure users into divulging personal details. Multisite login details, like an Apple ID and corresponding password, are valuable because they can give an attacker access to all the applications linked to that account.” The blog post adds- “The malicious website was already offline at the time of writing.”
The phishing email would seem to be a legitimate email from Apple, notifying a user that his Apple account has been “limited” due to unusual activity. It would also urge the user to update his payment details via a link that would be there in the mail. When the user clicked on the link, it would take him to a fake Apple website, which would look very much like the legitimate one. The URL, however, would be different, but callous users would not notice it. The user would next be prompted to enter his Apple ID and password, following which the website would show a standard message telling the user that his account has been locked. The website would then offer the user an ‘Unlock Account Now’ button, clicking on which would take him to a malicious website that collected user data. This website would ask all kinds of personal information- name, address, date of birth, credit card data etc.
Trend Micro researchers point out that the phishing website that the hackers used here was actually more sophisticated and even looked more legitimate than usual phishing websites, especially because the web directory permissions are set correctly. The Trend Micro blog post says- “Also, malicious actors usually use free hosting sites for their phishing scams since they expect them to have short lifespans, and they don’t put any effort into securing web server files. Because of this, it is typically easy to obtain information from phishing attacks and related sites; sometimes even the stolen data is accessible. In this case, the web directory permissions were set correctly, so we were not able to access that information.”
The phishing website would, after obtaining all personal data from the user, inform the user that he has been logged out for security reasons, following which he would be forwarded to the legitimate Apple website.
The Trend Micro blog also notes- “The phishing email looked like a legitimate email from Apple. It notified the “customer” that their account has been limited because of unusual activity, and then asked them to update payment details through a link. The email immediately raised suspicions for various reasons. It was sent to a person who was not using Apple products, and if there was suspicious activity why would a customer need to update payment details? Upon checking, we also saw that the button linked to a site that is not related to the Apple domain name.”
Moreover, the hackers used some other sophisticated methods, like encrypting the spoof site using Advanced Encryption Standard (AES), which allows it to bypass some anti-phishing tools embedded in antivirus solutions. The Trend Micro blog post says- “The unique way that this phishing scam used AES makes it difficult to detect malicious activity. The phishing site was able to bypass some anti-phishing tools incorporated in antivirus solutions for home and business from various vendors.” The researchers note that this (using AES for obfuscation) is rather unusual for a phishing scam because mostly those behind such campaigns are more focused on the operations rather than on security or evasion.