Hackers are using fake phishing domains to trick Apple users into giving up their Apple ID credentials, according to a new report from FireEye.
Since the beginning of 2016, FireEye has tracked a number of phishing campaigns targeted against Apple users. The phishing campaigns all include some form of a lure to trick unsuspecting users into entering their Apple ID into a fake login screen. All Apple device owners use the Apple ID to get access to the company’s services, including iTunes, App Store and iCloud data backups.
As part of the subterfuge, the phishing campaign emails direct users to seemingly legitimate looking Apple sites that are hosted on domains that have the word “Apple” in them, but are not associated in any way with the company. Among the domains are various combinations of the words, Apple and iCloud, including iCloud-Apple-apleid.com, appleie-xyw.com and iow-web-Apple.com.
Since the beginning of 2016, FireEye has discovered 240 phishing domains attempting to trick users into thinking they were Apple Inc. Of those, FireEye found 86 targeting U.K. customers since January. Domains specifically going after Chinese users are also common, with FireEye reporting 32 different domains registered in March alone.
While FireEye was able to identify the spam domains targeting Apple users, it’s not clear how many potential victims may have been exposed to the phishing domain campaigns.
“Our system is designed to detect newly registered malicious domains,” Fahim Abbasi, principal malware researcher at FireEye, told eWEEK. “We are not able to answer if there are specific targets.”
Looking across the 240 different Apple spam domains, FireEye found 154 unique email addresses were used to register the domains. Of those email addresses, 64 were on the qq.com email domain in China and 36 registrants had unique gmail.com email accounts.
Going a step further to try and determine some form of attribution for the malicious spam domains, FireEye found that the observed Apple spam domains in China were pointing at 13 unique IP addresses found in the United States and China. All of the U.K. spam domains were pointing to IP addresses in the United Kingdom.
Abbasi noted that FireEye observed a peak of Apple spam domain registrations in the first quarter of 2016, but has seen a gradual decrease since then.
“We are now starting to log this information to get a better breakdown of stats,” Abbasi said.
From a user protection standpoint, the actual address for a link or a Website is generally viewable by users, either in a browser or when they hover over an email link. As such, a cautious, informed user should be able to avoid falling prey to the Apple phishing domain campaigns. That said, Abbasi noted that not all users are informed of the risks of phishing and all the domains listed contain keywords like: “Apple,” “iTunes” and/or “iCloud.”
“Attackers exploit the human trust model, as we tend to trust brand names, and uses that to lure their victims into clicking and interacting with the phishing page,” Abbasi said. “The majority of Internet users are not savvy enough to detect these minor variations in legitimate-looking-phishing URLs.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
