Good day, welcome to another bulletin from Breaking Scams…
Scam, just in…
This week’s scam is a classic. I have received a number of these phishing emails, in the last 7 days, all very similar in tone and wording. So, don’t be surprised if you receive one or more very similar phishing emails. See below for examples of the emails.
The scam uses all of the elements of traditional email phishing. Let’s have a look at what they are:
Phishing Hook 1: Trusted Brand
The email looks like it has come in from a well-known brand. In this case Apple Inc. Phishing emails masquerade as well-known brands to piggyback on the trust that the brand has established with its customers. The Apple brand has often been a favourite of the cybercriminal. Back in 2014, Apple was the most frequently targeted brand by phishers.
Using a well-known brand also increases the likelihood that the recipient has an existing account, thereby increasing the chances that person will believe the email content and act upon it.
Cybercriminals will continue to use brands like Apple while they continue to have successful phishing campaigns.
Phishing Hook 2: Level of Trust – cc To Real Email Addresses in Apple
One of the received phishing emails contained genuine Apple email addresses in the CC line. Again, this is to establish a level of trust in the email. However, if you look at the from email address, you will notice that is it most definitely not from Apple. In fact, one such email address was:
“firstname.lastname@example.org” – I’m fairly sure that this isn’t a real Apple email account.
Phishing Hook 3: Urgency and Concern
Both email examples (shown below) used a degree of urgency to trick the user into executing the purpose of the email. The first email talked about an order/booking which I had placed, hopefully making me worry that an unexpected order had been placed using my account. The second highlighted that an “unauthorised change” has been made to the recipient’s account.
What Was the Phish?
The two email examples were very similar in the way in which they attempted to trick the user into doing their bidding, each using two or more of the phishing hooks above. However, the mode of action was different in each:
Phishing Email 1: Contains an infected PDF as an attachment. If a user double-clicks to open the attachment a software program will run and infect the computer with malware.
Phishing Email 2: The email contains a link to fix the “unauthorised change” using wording: “If you did not make these changes, or if you believe an unauthorised person has accessed your account, you should change your password as soon as possible from your Apple ID account page”. If you click on the link it takes you to a webpage which asks you to enter personal details. Once you click Submit, those details will be sent to the cybercriminal behind the scam.
Spotting a Scam Email
There are several ways to spot if an email is a scam:
- Is the email greeting generic, e.g., Dear Customer, or even Dear your email address. If so, it is almost certainly a phishing email.
- The sender email address is different from the company domain name. However, be aware that phishers can be clever and often use very similar email addresses to fool you, e.g., email@example.com is legitimate but firstname.lastname@example.org is not.
- Misspelled words are often a clue an email is not legitimate.
- If you click on a link in the email, the URL of the site does not match the URL of the legitimate company. However, as in 2 above, phishers can use very similar looking URLs so be careful.
If you believe that an email you received purporting to be from Apple is a phishing scam, you can report the email to email@example.com.
Why not help your colleagues in infosec stay safe and share this post – or, alternatively, feel free to copy and paste the below for sharing:
Apple Inc. Scam Emails
A number of emails look like they have been sent by Apple Inc. but are in fact a scam. The emails have several forms to steal data and/or infect your computer. One form includes malware-infected attachments, another a link to a spoof site which is then used to steal personal data and/or login credentials to a real Apple account.
Be wary of these emails. Never click on a link, always go directly to your Apple ID account by typing the Apple URL into a browser and logging in from there.
Never open an attachment in an email unless you are 100% sure that its origin is safe.
Don’t forget to share this with your colleagues and friends and help them stay safe.