An Apple ID is provided to all of Apple's customers, allowing users access to services such as iCloud, the iTunes Store, and the App Store. According to FireEye, anyone with access to an Apple ID, password, and some additional information, such as date of birth and device screen lock code, can completely take over the device and use the credit card information to impersonate the user and make purchases via the Apple Store.
One of the phishing kits found by FireEye, named zycode, targeted Apple users in China by mimicking over 30 Apple domains, appearing as an Apple login interface for Apple ID, iTunes, and iCloud designed to lure people into submitting their Apple IDs.
"Since January 2016 to the time of writing, the [malicious domain detection] system marked around 240 unique domains that have something to do with Apple ID, iCloud, or iTunes. From these 240 domains, we identified 154 unique email registrants with 64 unique emails pointing to qq.com, 36 unique Gmail email accounts, and 18 unique email addresses each belonging to 163.com and 126.com, and a couple more registered with 139.com."
FireEye's email attacks research team found another targeted phishing campaign against Apple users in the UK, with 86 Apple phony phishing domains observed since January 2016. The phony domains have been serving the same phishing content, FireEye said, with a user redirected to what appears to be a legitimate Apple website.
On submitting a username and password into the legitimate-looking sign-in form, the user is told that the Apple ID provided has been locked and that they must unlock it.
When the user begins the unlocking process, they are presented with a request for personal information such as name, date of birth, telephone numbers, addresses, credit card details, and security questions.
"While filling out this form, we observed that the country part of the address drop-down menu only allowed address options from England, Scotland, and Wales, suggesting that this attack is targeting these regions only," FireEye said.
FireEye said the customer is then congratulated for unlocking their Apple ID, then redirected to the authentic Apple page.