Apple hack exploited with new phishing campaign

Apple hack exploited with new phishing campaign

Summary: In the usual manner of scammers, new phishing emails have surfaced which take advantage of Apple's security vulnerabilities.

SHARE:
TOPICS: Apple, Security
12

In order to make sure a phishing campaign works, the victim has to believe an email is legitimate. It's no surprise that the Apple security breach is the latest event to be taken advantage of.

Phishing attacks are a relatively simple way to steal data. Users click on an email they believe to be legitimate, allowing malware to be installed or submitting login details for a service, whether it be a fake bank email, service, or the Spanish lottery. Perhaps if you're particularly lucky, there is a wealthy gentlemen in Africa who wants to transfer millions of dollars to your account -- but only if you forward along some of the costs in advance, of course.

Phishing campaigns have advanced from the days of poorly-written English and laughable stories. Now, some scammers take pains to make sure the email looks legitimate, from including a PayPal logo to the typical disclaimer of a bank at the bottom. Once clicked on, users are often directed to legitimate-looking websites set up to store the credentials you input.

In a new campaign, the recent service outage of Apple's Dev Center has prompted a flood of phishing emails asking users to change their passwords -- and short as the email is, to the average user, it may be viewed as legitimate.

Screen Shot 2013-07-25 at 08.56.42

As well-done as the email is, the grammar mistake in the title is a dead giveaway -- not to mention the missing capital letter in 'Apple' -- and the site that it points to is not a legitimate Apple domain.

BPxjGltCIAItMfy

Users have taken to Twitter to warn others of the phishing attacks, and security firm Kasperky Lab has found that Apple-related phishing scams have skyrocketed in the last six months, with scammers focused on stealing login credentials and financial data.

The lesson here? Scammers often use emotional response or threats to remove a service in a specific time frame to induce panic in a user -- which in turn may make them less likely to double-check a domain before frantically inputting their login details.

Apple's recent breach is simply the latest example in such tactics.

The original reason that Apple's developer portal was taken offline may not have been malicious, but it has opened the floodgates for others with just these intentions.

This month, Apple's Dev Center went down for "maintenance for an extended period," leading users to wonder whether the iPad and iPhone maker's website had suffered a security breach. Apple later admitted that "an intruder attempted to secure personal information of our registered developers from [the] developer website."

Ibrahim Balic, a London-based researcher, then took to Twitter to claim responsibility for the issues, stating that his intentions were not malicious, and the the tech giant had been informed of a total of 13 flaws. To prove his claims, Balic posted a YouTube video explaining the process, which was later removed. However, you can still view an embedded version here.

The home page is now accessible, but the members-only area remains shut. Apple is currently working to make sure every security vulnerability is removed and you can check the current status here.

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Numerous other grammatical mistakes

    And awkward English that native English speakers should pick up on. "Fraudsters" was my favorite.

    I try to teach users not to click on links in email. I stress to them to manually type out the real address themselves. Human nature being what it is I also teach users to hover their mouse over links and see where that link wants to take them. In this case it would not be ...apple.com.
    MajorlyCool
    • 'Fraudster's is OK English these days...

      but the errors you should have caught are in, "Before log in to your account will be Confirmed, let us know right away". They are 1) use of "log in" not "login", 2) capitalizing 'Confirmed' and 3) the total disconnect between primary and secondary clauses: let them know WHAT right away? That the user logged in?
      mejohnsn
  • MAC users......

    This just proves the misconception that Apple users are smarter than Windows or Linux users. While fans of OS's hate each other, no one stops to state the obvious-any compnay can (eventually perfect" their OS, but it's the end user who has to be smart enough to not be so stupid to fall for the scams. The scams will evolve as time passes on, and no matter how many times you warn computer users, someone will click that link and voila-you're infected. Then the user will immediately blame the OS. At the same time, people who click on these links help the OS become safer, as updates are issued and future versions strengthened. Personally, if I ever want to click on something dubious, I fire up a Linux live CD (DVD) and go for it. Curisity still kills the cat, but using a Live CD and then rebooting brings him back!
    Charles_B
    • Hating on Apple remains a poor reason to use a bad OS...

      ...where you have to use Linux as a backup because it's so incredibly insecure.

      There are all types of Mac users, and all types of Windoze users (many have no choice in the matter). Anyone with a real choice in the matter would go with the Apple stuff, IYAM. Not that everything else has not been pattered after Apple stuff, and designed to work 'just as well' it's just that it doesn't.
      comp_indiana
      • RE: Choosing

        Many, many many more users with real choice have been going with Windows over Apple for a long time. With Windows 8 and the tablet explosion but Windows dominance is gone (but not irrelevant). Replacement of Windows is not so much by Apple as much as Android.
        edkollin
        • Windows dominance gone?

          It's still on 90% of desktops. Windows continues to dominate, and Will continue to.
          jamz2277
      • Still at the Windows hate

        I can spot your posts right away with the absurd "Windoze" comments.

        Before Vista, I liked Mac OS far more than Windows. I even liked Apple computer hardware over most PC variants such as MacBook Pro, iMac, MBA, etc. The iPhone was the first smartphone to really get that segment right and the same for iPad with tablets. Never cared for the iPod due to its proprietary nature but I love the build quality and UI of the devices.

        With all of that said, Apple is being left behind. Their hardware quality can now be found in devices such as HTC One, Surface, etc. Innovation of hardware with touch screen hybrids, Lumia 1020 camera, etc. Android 4.3 is setting the standards for mobile and Microsoft Phone 8 is just as simple to use with an eloquent UI. Etc. And Windows 8 is, IMHO, the best OS out there right now.

        Apple, after Jobs, still could rise to the top with the great people that make up the company. But they have fallen behind for sure and the alternative choices are now just as good if not better in many of their sectors.
        Rann Xeroxx
  • Apple needs to take a hint from Google (yes, I said it!)

    Google has a "two step verification" process, in which it sends a code to your phone via text message and after you enter your username and password, then you enter the code provided in said text message (this is for logging into GMail, etc).
    Richard Estes
    • Apple too have it

      Apple too have a two steps verification for authorization.

      Phishing doesn't need you to verify it just compromise your account.

      Yes I said it, childish but satisfying.

      And phishing is nothing new and is here to stay and it will happen to all OSs and if a developer is duped then he deserved it because he should know better.
      AdanC
    • Actually, they DO Take Hints

      Apple, Google, Yahoo! and M$FT are all taking hints from each other and aping each other. The sad part is that they rarely take the GOOD hints:(
      mejohnsn
    • This is user education, not much a vendor can do...

      No matter what Google, Apple, Microsoft, etc do, you can stop users from being users. Even if the vendors figure out some way to patch their systems, hackers find some other way that rely on user interaction to bypass security.
      Rann Xeroxx
      • yes

        Agree with u. Users r usually the weakest link. Don't blame Apple or MS for that
        ThinkFairer8