- Scammers abuse Apple’s email domain to send callback phishing messages
- Technique exploits Apple ID creation fields to embed fake purchase alerts
- Victims tricked into calling scammers, who then steal sensitive data or gain remote access
Scammers have found a way to abuse Apple’s email notification system to deliver phishing messages and trick people into giving away sensitive data and system access.
Recently, people started receiving emails from the email.apple.com domain, notifying them of a $899 iPhone purchase via PayPal. The email also shared a phone number for the victims to call, to “cancel” the order.
These are your usual, run-of-the-mill ‘callback’ phishing emails that trick the victim into calling the provided phone number in panic. While on the phone, the scammers convince the victim to share sensitive information, or grant remote access to their computer. That way, the scammers are able to make wire transfers and ultimately clear people’s bank accounts.
Article continues below
Mailing list abuse
What makes this campaign stand out is the use of Apple’s email domain. What the scammers really did was abuse the Apple ID creation process. When creating a new account, the first and last name fields can accept so many characters that the crooks can fit an entire phishing message in there.
Then, they change the account’s shipping information, which triggers the Apple security alert. However, that email still doesn’t land in the victim’s email, but instead – in the scammer’s. The final step is to use a mailing list to distribute the emails to multiple targets.
The mailing list technique is also nothing new. We’ve seen it numerous times in the past, with major names such as Google, Amazon, and Microsoft, all being abused the same way. Apple was used the same way in September last year, when crooks abused iCloud Calendar invites to achieve the same results.
Generally, all emails coming from reputable brands and carrying a sense of urgency should be treated with high skepticism. Being asked to call a phone number listed in the email is another red flag. The best way to double-check possible problems is to navigate directly to the company website and look for contact information there.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
