FireEye uncovers phishing campaigns targeting Apple users

FireEye has reported a number of malicious phishing campaigns originating from phony Apple domains, targeting iCloud users in China and the United Kingdom.
Written by Asha Barbaschow, Contributor

Security firm FireEye has found malicious phishing campaigns targeting Apple iCloud users through the use of phony Apple domains.

FireEye has reported that since January this year, several phishing campaigns have targeted the Apple IDs and passwords of Apple users in China and the United Kingdom.

An Apple ID is provided to all of Apple's customers, allowing users access to services such as iCloud, the iTunes Store, and the App Store. According to FireEye, anyone with access to an Apple ID, password, and some additional information, such as date of birth and device screen lock code, can completely take over the device and use the credit card information to impersonate the user and make purchases via the Apple Store.

One of the phishing kits found by FireEye, named zycode, targeted Apple users in China by mimicking over 30 Apple domains, appearing as an Apple login interface for Apple ID, iTunes, and iCloud designed to lure people into submitting their Apple IDs.

"The domains were serving highly sophisticated, obfuscated, and suspicious JavaScripts, which was creating the phishing HTML content on the web page. This technique is effective against anti-phishing systems that rely on the HTML content and analyse the forms," the company said.

"Since January 2016 to the time of writing, the [malicious domain detection] system marked around 240 unique domains that have something to do with Apple ID, iCloud, or iTunes. From these 240 domains, we identified 154 unique email registrants with 64 unique emails pointing to qq.com, 36 unique Gmail email accounts, and 18 unique email addresses each belonging to 163.com and 126.com, and a couple more registered with 139.com."

FireEye's email attacks research team found another targeted phishing campaign against Apple users in the UK, with 86 Apple phony phishing domains observed since January 2016. The phony domains have been serving the same phishing content, FireEye said, with a user redirected to what appears to be a legitimate Apple website.


Screenshot of the phishing page as seen by the victims in the browser.

Image: FireEye

The fake page loads what FireEye called a highly obfuscated JavaScript in the web browser which it said on execution generates the phishing HTML code at runtime to evade signature-based phishing detection systems.

On submitting a username and password into the legitimate-looking sign-in form, the user is told that the Apple ID provided has been locked and that they must unlock it.

When the user begins the unlocking process, they are presented with a request for personal information such as name, date of birth, telephone numbers, addresses, credit card details, and security questions.

"While filling out this form, we observed that the country part of the address drop-down menu only allowed address options from England, Scotland, and Wales, suggesting that this attack is targeting these regions only," FireEye said.

FireEye said the customer is then congratulated for unlocking their Apple ID, then redirected to the authentic Apple page.

Editorial standards