Apple users should be on high alert after a fresh SMS phishing scam was exposed that uses sophisticated online trickery in an attempt to compromise Apple ID credentials. Commenters on social media first reported the issue in early April after receiving a suspicious text message that read: "The Apple ID associated with this number is due to be terminated. To prevent this, please confirm your details at supportatapple.com – Apple Inc."
Phishing is a popular technique used by cybercriminals that 'fishes' for sensitive information via email – and now mobile –by purporting to be sent from a legitimate contact or business and fooling an unsuspecting user into clicking a malware-ridden link. Often, these scams are bolstered by information gleaned from social media profiles such as Facebook, LinkedIn and Twitter to appear convincingly personalised.
In this latest case, if a user clicked the embedded link they would be sent straight to a replica website that has been created to mirror the real Apple login page. However, as security-conscious web users would quickly notice, the URL for the page is appleexpired.co.uk and, upon inspection, is not an official link.
If clicked through, the user would be asked to input personal information including date of birth, telephone number, address, and credit card details to 'verify' their account. Yet as reported by security researcher Graham Cluley, no matter what was entered the website would bring up a message saying the Apple ID had been 'locked for security reasons'. At the same time, all your data would be sent straight to the server of the cybercriminal responsible for setting up the scam.
"The phoney website... is designed to grab your personal information and pass it straight on to online criminals," said Cluley, who also posted images of the fake website in question. "They could use those details to commit fraud, or sell your credentials on to other crooks on the computer underground. That's obviously even worse news if you have made the mistake of reusing your passwords across the net."
He added: "One obvious question remains. Where did the attackers get the list of names and mobile phone numbers from to target their potential victims with the initial phishing SMS message?" IBTimes UK contacted Apple for comment however had received no response at the time of publication.
While most security-minded internet users are unlikely to easily fall for such a scam, unsuspecting victims may not be accustomed to the common warning signs of phishing scams – such as dodgy URL links, bad grammar or unsolicited requests for personal information.
Indeed, according to a fresh Internet Security Threat Report released by Symantec on 12 April, phishing is becoming an effective cybercrime technique. "Cybercriminals are increasingly moving towards more complex email threats, where malware authors, ransomware creators, phishers, and scammers will seek to exploit what they perceive to be the weakest link in the chain – humans," the detailed annual report found.
Furthermore, for firms that perhaps should know better, phishing remains a viable threat. Recently, technology firm Snapchat was successfully targeted by such an attack that resulted in the loss of internal payroll data of its California-based employees.