The Apple phish are flying

The news of the new iPhones and the leaked celebrity photos create an atmosphere in which users might act rashly when presented with a message purportedly from Apple.
Written by Larry Seltzer, Contributor

After a week of big Apple news it's no surprise that the authors of phishing emails would focus on Apple, and that appears to be what has happened. I have received one myself and read reports of others.

The Internet Storm Center at the SANS Institute reports on one using the "your account is about to expire" hook. The language is awkward and confusing, so even if you missed on any technical clues that it was illegitimate, reading carefully should arouse suspicion. What does this actually mean, other than "click the link"? 

    "We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access."

The English in the rest of the message isn't much better. As the ISC says, it fits in the usual pattern for phishing, taking advantage of public events (the release the new iPhones and the leak of celebrity photos).


The message I received (an image of which is below) is much more professional. I'm very good at spotting these things, but I had to look carefully to notice this one. It claims that the credit card on my Apple ID has been changed; if this was in error I should log in and reset my password at the handy link.

The text of the link is a domain: iforgot.apple.com, which is the genuine site for Apple's password reset page for Apple IDs. The target of the link, as you can see in the nearby image, is actually on a WordPress page on another site (a roofing company in Alabama, one which probably was running an old and vulnerable version of WordPress). It was by hovering over the link in the message in Outlook, which reveals the target of the link, that I became satisfied it was a phish. The phishing page has been taken down.

Everything else about the message is credible and well-written. The address details are for Greece, but if the reader gets that far they are already suspicious. The message itself appears to have originated from the Verizon FiOS network, through a server in Indonesia and then back to me.

There's not much really new here, but you should remember, and remind others who might not be so alert, to be on the lookout and not to inherently trust such messages.

Editorial standards