Apple products, such as the iPhone, iPad, and Macbook are NOT immune from successful attack and exploitation. Why? Because the weakest part of Apple security is the user behind the keyboard. That’s right, it’s YOU!. Email and website based attacks work the same for Apple users, Windows users, and even Linux users. Send a well-crafted phishing email, and wait for the target to cough up their credentials. Today’s guest post by David Balaban talks about how Apple users are being targeted by criminal phishers.
Although the mantra about Apple products getting no viruses is a myth, these devices do boast decent defenses against malicious software. This makes cybercrooks look for workarounds to achieve their objectives without having to mastermind highly sophisticated exploitation tools.
Phishing is an increasingly common attack vector in the ecosystem of Apple threats. Malicious actors use this technique to take a shortcut and perpetrate scams by manipulating humans rather than electronic systems. It hinges upon social engineering to dupe users into disclosing their sensitive information or wiring money to impostors.
It is disconcerting that the so-called phishing kits are now readily available on the dark web. It means that these attacks are not only a prerogative of seasoned criminals anymore. Any wannabe hacker with primitive tech skills can target you as well.
Let us zoom out briefly to better understand scammers’ motivation for ramping up their Apple phishing efforts. More than 1.5 billion Apple devices are currently in use around the world. Whereas their operating systems and features vary, they have one thing in common as far as security goes. All of them require Apple IDs to access services such as the App Store, iCloud, iMessage, Apple Music, Apple TV, and more.
By obtaining a user’s Apple ID, fraudsters can take over their account and get hold of payment information enrolled for purchases via Apple Pay. Essentially, this password is one’s single point of failure. It is also a coveted piece of information from a crook’s perspective.
How Can Criminals Mishandle Your Apple ID?
This secret string of characters and numbers is a one-size-fits-all key to using Apple’s proprietary services and accessing a good deal of your personal data. A rundown of its common applications is as follows:
- Whether you own an iOS or a macOS device (or both), Apple ID allows you to sign into it and thereby use its built-in services to the fullest. Also, with the Apple electric car project being underway, the range of traditional Apple ID use cases may expand sometime soon. Imagine unlocking a self-driving electric vehicle with it – that is what the near future may hold.
- Apple ID includes your payment and shipping info so that the process of purchasing apps, subscribing for services, and buying devices from Apple is as frictionless as possible.
- It provides access to your security settings as well as detailed information regarding all purchases you made with it.
- Apple ID is the main authentication element for accessing your iCloud account. That is where you keep your photos, videos, and a plethora of other sensitive data. If an attacker steals your Apple ID, they can hold these materials for ransom.
Methods Used by Scammers to Lure You into Visiting Apple ID Phishing Pages
The present-day online con artists leverage quite a few techniques to make you end up on a credential phishing site. The following paragraphs describe the most common tricks.
- Booby-trapped Payment Statement Emails
Taking a look at the subject area of a message should suffice to pinpoint this fraud. It usually includes a phrase like “Receipt ID,” “Receipt Order,” or “Payment Statement.” The sender’s objective is to fool you into thinking that someone has made purchases with your credit card behind your back.
What will the average user do in this case? You guessed it – they will go ahead and cancel the order they never made. Having clicked on an embedded link that leads to a replica of a billing information page, you will be redirected to a phishing site requesting verification with your Apple ID password and credit card details.
To avoid being scammed, you should watch out for additional giveaways. The message does not come from a valid Apple email address. Also, it may include a Microsoft Word attachment, something the Cupertino-based company would not send to its customers. One more telltale sign of the scam is the URL of the link you are being instructed to follow. Hover your mouse over it to vet its authenticity before clicking. It will not look like a genuine Apple resource.
The main lesson you should learn is that any dubious link in an email is potentially evil. The bad news is cybercriminals are growingly adept at masquerading their frauds. Their messages look legitimate and lead to pages that mimic Apple branding. In some cases, you will notice a few typos, and the navigation icons in the upper section of the page are not clickable. Be careful with suspicious emails of that kind.
- Dodgy Cold Calls
Apple ID phishing scams are not restricted to using treacherous emails as their launchpad. Some attackers capitalize on fraudulent phone calls instead. To make the hoax appear trustworthy, they often leverage the caller ID spoofing technique. This way, the caller details resemble Apple is and include the real logo as well as the official site of the tech giant.
One of the mainstream methods to get you on the hook is to request your sensitive information under the guise of account validation. The impostor will usually say you need to provide these details for compliance with the supposedly updated Terms of Service. To impose extra pressure, the fraudster will emphasize that this is a prerequisite for using certain important features down the line.
- Phony Text Messages
To set another form of credential phishing in motion, malefactors use rogue text messages whose scare element revolves around phrases like “Your Apple account has been suspended” or similar. To take care of the alleged quandary, you will be instructed to tap or click on an embedded hyperlink. The resulting site is a copycat of an Apple support page that contains a counterfeit form where you are supposed to enter your sensitive info.
- Sketchy Pop-ups
This exploitation technique debuted in 2017 as a theoretic attack. A security enthusiast named Felix Krause came up with a proof of concept whose logic comes down to generating a spoofed pop-up dialog that asks a user to type their Apple ID password to log into the iTunes Store. Once the unsuspecting user enters the password, it is sent to the attacker behind the scenes.
From the average user’s perspective, this dialog does not raise any red flags because it is a carbon copy of many legitimate iOS pop-ups. This explains why victims are likely to give away their authentication details without a second thought, only to discover shortly that their Apple account has been taken over.
The ethical hacker who originally spread the word about this attack vector provides an amazingly simple tip to check if the alert is genuine. All it takes is tapping the Home button on the iDevice. If this closes the current app, it means that the pop-up is malicious and should be ignored. Otherwise, you are dealing with a legitimate iOS dialog.
What makes a difference in this scenario is that normal system alerts of that sort are triggered by a separate process rather than being part of an application.
How to Identify Apple Phishing Hoaxes?
The attack sophistication and the mechanisms used by phishers vary, so some scams can be better camouflaged than others and may fly below your security awareness radar. However, most of these frauds share clues that should set off alarm bells if noticed. Here they are:
- Spelling mistakes and poor grammar.
- Crude design of the email or landing page.
- Suspicious email attachments.
- The email does not come from the apple.com domain.
- You are being asked to provide credentials over the phone or email. Apple never does it.
- A link that arrived in an email looks dubious. A shortened URL and redirects are good examples.
Give Your Apple ID Phishing Protection a Boost
To make sure your Apple ID is not low-hanging fruit for threat actors, use the following recommendations that will step up your defenses against these increasingly widespread scams.
- Use a web browser with built-in phishing prevention features. For example, Google Chrome delivers this kind of protection.
- Never open email attachments received from strangers.
- When an email comes with a link, hover your mouse over it before clicking. This will reveal the underlying URL. If it looks dubious, stay away from it.
- Add an extra security layer to your Apple ID and other accounts by enabling two-factor authentication (2FA).
- Use the newest version of macOS or iOS your device can run.
- Stay up-to-date with cybersecurity highlights posted on authoritative websites.
In most cases, you do not have to reinvent the wheel to stay safe. Apple’s recommendations on this matter work wonders. The company provides a series of articles that cover the ins and outs of securing your Apple ID. The following resources are definitely worthwhile:
- Apple’s knowledge base on phishing and other sketchy emails.
- How to determine whether an email actually comes from Apple.
- What to do if you suspect your Apple ID has been compromised.
- How to identify and avoid phishing, tech support scams, and other hoaxes.
- The basics of Apple ID security.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
https://www.linkedin.com/in/david-balaban/
ShareSEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com