Apple hack exploited with new phishing campaign

Summary:In the usual manner of scammers, new phishing emails have surfaced which take advantage of Apple's security vulnerabilities.

In order to make sure a phishing campaign works, the victim has to believe an email is legitimate. It's no surprise that the Apple security breach is the latest event to be taken advantage of.

Phishing attacks are a relatively simple way to steal data. Users click on an email they believe to be legitimate, allowing malware to be installed or submitting login details for a service, whether it be a fake bank email, service, or the Spanish lottery. Perhaps if you're particularly lucky, there is a wealthy gentlemen in Africa who wants to transfer millions of dollars to your account -- but only if you forward along some of the costs in advance, of course.

Phishing campaigns have advanced from the days of poorly-written English and laughable stories. Now, some scammers take pains to make sure the email looks legitimate, from including a PayPal logo to the typical disclaimer of a bank at the bottom. Once clicked on, users are often directed to legitimate-looking websites set up to store the credentials you input.

In a new campaign, the recent service outage of Apple's Dev Center has prompted a flood of phishing emails asking users to change their passwords -- and short as the email is, to the average user, it may be viewed as legitimate.

Screen Shot 2013-07-25 at 08.56.42

As well-done as the email is, the grammar mistake in the title is a dead giveaway -- not to mention the missing capital letter in 'Apple' -- and the site that it points to is not a legitimate Apple domain.

BPxjGltCIAItMfy

Users have taken to Twitter to warn others of the phishing attacks, and security firm Kasperky Lab has found that Apple-related phishing scams have skyrocketed in the last six months, with scammers focused on stealing login credentials and financial data.

The lesson here? Scammers often use emotional response or threats to remove a service in a specific time frame to induce panic in a user -- which in turn may make them less likely to double-check a domain before frantically inputting their login details.

Apple's recent breach is simply the latest example in such tactics.

The original reason that Apple's developer portal was taken offline may not have been malicious, but it has opened the floodgates for others with just these intentions.

This month, Apple's Dev Center went down for "maintenance for an extended period," leading users to wonder whether the iPad and iPhone maker's website had suffered a security breach. Apple later admitted that "an intruder attempted to secure personal information of our registered developers from [the] developer website."

Ibrahim Balic, a London-based researcher, then took to Twitter to claim responsibility for the issues, stating that his intentions were not malicious , and the the tech giant had been informed of a total of 13 flaws. To prove his claims, Balic posted a YouTube video explaining the process, which was later removed. However, you can still view an embedded version here .

The home page is now accessible, but the members-only area remains shut. Apple is currently working to make sure every security vulnerability is removed and you can check the current status here.

Topics: Apple, Security

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.