- Scammers misuse Apple’s email domain to send recall phishing messages
- Technique exploits Apple ID creation fields to embed fake purchase alerts
- Victims are tricked into calling scammers who then steal sensitive data or gain remote access
Fraudsters have found a way to abuse Apple’s email notification system to deliver phishing messages and trick people into giving away sensitive data and system access.
Recently, people started receiving emails from the email.apple.com domain notifying them of an $899 iPhone purchase via PayPal. The email also shared a phone number that victims could call to “cancel” the order.
These are your usual run-of-the-mill ‘callback’ phishing emails that trick the victim into calling the provided phone number in a panic. While on the phone, the scammers convince the victim to share sensitive information or provide remote access to their computer. That way, the fraudsters are able to make wire transfers and ultimately clear people’s bank accounts.
The article continues below
Abuse of mailing list
What makes this campaign stand out is the use of Apple’s email domain. What the scammers really did was abuse the Apple ID creation process. When you create a new account, the first and last name fields can accept so many characters that crooks can fit an entire phishing message in there.
Then they change the account’s shipping information, triggering Apple’s security alert. However, that e-mail still does not land in the victim’s e-mail, but instead – in the scammer’s. The final step is to use a mailing list to distribute emails to multiple targets.
The mailing list technique is nothing new either. We’ve seen it numerous times in the past, with big names like Google, Amazon and Microsoft all being abused in the same way. Apple was similarly exploited last September, when crooks abused iCloud calendar invites to achieve the same results.
In general, any email that comes from reputable brands and carries a sense of urgency should be treated with great skepticism. Being asked to call a phone number listed in the email is another red flag. The best way to double check for possible issues is to navigate directly to the company’s website and look for contact information there.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
