After a massive Google Docs phishing scam hit users across the web, a new and relatively lesser known iCloud phishing scam is making its way into Apple devices, designed to steal credit card data as well as access the device's camera.
Like most phishing scams, this one also originates from an email in which the hackers pose as Apple. The email informs the user that their iCloud account is on hold because of an unusual sign in activity through an unknown browser, a standard procedure performed by Apple. However, the mail sent is a scam and contains a malicious link which users are asked to click on to change the password.
An example of the phishing email reads: "Your Apple ID was used to sign in to iCloud via a web browser. Date and Time: 30/04/2017 Browser: Google Chrome Operating System: Windows 8 Address IP: 184.108.40.206. If the information above looks familiar, you can disregard this email. If you have not signed in to iCloud recently and believe someone may have accessed your account, go to My Apple ID and change your password as soon as possible. Click Here."
On clicking the link users are directed to a phishing page which looks exactly like the Apple support page and are then asked to enter their ID and password.
Users are then directed to more pages asking them for credit card data, plus their home address, phone number, date of birth and even a scan of their government issued ID card or driving license. If a user chooses to skip the page asking for the government ID, the page redirects them to a website to access their device's camera and microphone to take a photo of the ID.
While Google Chrome has been able to detect the scam and marked the phishing domain as "Deceptive," other popular browsers like Firefox, Opera, and Apple's own Safari do not show any warning messages. The latest phishing scam is a rather sophisticated one not only looking to steal ID and passwords but identity documents which can be potentially used for identity theft online by hackers.
A similar iPhone phishing scam hit UK users last year where users were warned about the expiry of their iCloud accounts. Apple confirmed at the time that it never asks for personal details when verifying an iCloud account.