A week ago I reported on my personal blog how criminals were spamming out SMS messages that claimed to come from Apple, but were actually designed to steal personal information for the purposes of identity theft.
The messages all used a cunning piece of social engineering – posing as a notice from Apple that their Apple ID was due to expire that very day – to get unsuspecting users to click on a link to a phishing website.
The SMS messages were even more convincing because they referred to recipients by name, most likely fooling some into believing that there was a genuine reason to act upon the alert and visit the site pointed to by the criminals.
Although the site the criminals were initially using – appleexpired.co.uk – was quickly blocked by the major web browsers and taken down, that didn’t take the wind out of the criminals’s sails.
In the days since it has become clear that the identity thieves have registered a series of other domains – all claiming to be related to Apple or Apple ID.
Examples have included icloudauth.co.uk, mobileicloud.uk, and icloudmobile.co.uk.
And today I received a message from a reader who has been sent a new version of the scam, pointing to a phishing site that – at the time of writing – remains online.
Clicking on the link (which, of course, I don’t recommend) takes you to a fake Apple ID login page.
However, you would be wrong to think that this is just an attempt by the criminals to steal your Apple ID password – bad as that would be.
Because as soon as you enter a username and password – in fact, even if you enter completely bogus credentials – you will be told that your Apple ID has been “locked for security reasons”.
Of course, the message is nonsense. This isn’t the real Apple ID website, and your Apple ID hasn’t been locked.
What the criminals are now trying to do (having already purloined your Apple ID password) is see what other sensitive personal information they can steal from you, while you’re in a blind panic that you won’t be able to buy anything from iTunes.
If you’re not careful, you’ll soon have handed the criminals your full name, date of birth, address, payment card details (including security code), and even coughed up the answer to a security question!
In short, this is much more than an attempt to raid Apple ID accounts – although I’m sure the criminals will have no problems with doing that too.
One question remains – where have the criminals got people’s names from? In the SMS messages they are sending out they are including recipients’ real names, although the fact – as can be seen in the screenshot I include above – that some users are receiving the messages on Android devices suggests that the scammers may not have been able to target their attacks perfectly to only Apple users.
If you come across a phishing webpage that you believe your web browser should be blocking, you could do a lot worse than report it to Google’s Safe Browsing team.
Do that and, with any luck the webpage will not only soon be blocked, but you will also have done your bit to make the internet a safer place for everybody.
by Graham Cluley, ESET We Live Security