Scammers, hacker, and cybercriminals have some tried and tested methods for targeting victims. An old classic that seems to never go out of style is the phishing email. News of a new scam seems to come around like clockwork. It would appear that no user no matter the platform or operating system is safe from scammers. While not necessarily a new scam, one scam, in particular, is plaguing Apple users. So much so that Apple released a statement to help users identify suspicious emails. At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving users into either clicking on a malicious link or downloading an infected attachment. This is often done to steal financial or confidential information.
Subscription Email Scam
In February reports began surfacing of a new phishing email scam appearing in the inboxes of App Store users. The scam is by no means novel and unique but it is convincing. The email, which can be viewed here, appears as a subscription confirmation for a service that the user never signed up for. In the email, the user is alerted that they have signed up for a 30-day free trial to YouTube Red. The subscription will be charged 150 USD a month once the trial period ends. Any user seeing that they now they have to pay a substantial amount for a service they never signed up for would respond by trying to cancel the subscription as quickly as possible. That is where the hook lies. The email provides a link to cancel the subscription.
Once the users click the link they are redirected to another webpage that prompts the user to enter in a range of sensitive information, from their Apple ID to their credit card details. Once the user submits the form they can now officially be called a victim. With the information provided the scammer can go on a spending spree using the victim’s details. There has also been another example of a similar scam using almost the same technique. A user published the email on an Apple forum. This time the supposed subscription was to a Manga service and would potentially cost 20 USD if it was indeed legitimate.
Here's a sample of Apple purchase phishing email:
Text in such scam emails are usually very similar, the main purpose of such emails is to trick computer users into clicking "click here to cancel your purchase" link. After this users are redirected to a phishing website where cyber criminals steal victim's users names and passwords. Here's the text presented in such phishing emails:
If you didn't make this purchase or if you believe an unauthorized person is attempting to access your account, click here to cancel your purchase.
Learn how to manage your password preferences for iTunes, iBooks and App Store purchases. To cancel your purchase.
Apple ID Password Scam
Relying on emails is not the only technique a scammer can exploit. In a blog post by well-known researcher Felix Krause, he showed how a scammer could easily create a fake pop-up asking for your Apple ID. The fake pop-up is so similar to the legitimate prompt used by Apple getting the user to verify their ID login details. The developer explained that it is incredibly easy for an iOS app maker to recreate the Apple ID password prompt. From there, the app could send that pop-up and subsequently log the Apple ID and password. It takes less than 30 lines of code and could seemingly be dropped in any legitimate iOS app. By doing this the scammer could sneak past App Store review teams.
This technique has plagued desktop browsers for years so it was only a matter of time before it was abused to target Apple users. It is important to note that users can defend against. In order to do this Krause suggests that the user can do the following:
- Hit the home button in order to see if the app quits. If it does indeed close the app, and with it the dialog, then this was a phishing attack. Alternatively, if the dialog and the app are still visible, then it’s a system dialog. This is because the system dialogs run on a different process, and are not part of any iOS app.
- Do not enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept as you should never click on links on emails, but instead open the website manually.
- If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. This is true even after entering the first characters, the potentially malicious app probably already has your password.
Apple’s Advice for detecting Scam Emails
As mentioned above, Apple has deemed the recent scam emails to be such a threat it has issued a statement with intention of helping users determine whether the email is legitimate or not. To that effect they provided the following advice:
If you receive an email about an App Store or iTunes Store purchase, and you’re not sure whether it is real, you can look for a couple of things that can help confirm that the message is from Apple.
Genuine purchase receipts—from purchases in the App Store, iTunes Store, iBooks Store, or Apple Music—include your current billing address, which scammers are unlikely to have. You can also review your App Store, iTunes Store, iBooks Store, or Apple Music purchase history. Emails about your App Store, iTunes Store, iBooks Store, or Apple Music purchases will never ask you to provide this information over email:
- Social Security Number
- Mother’s maiden name
- Full credit card number
- Credit card CCV code
The advice provided by the tech giant is sound advice even to those using Android or Windows devices. As a general rule, major companies will never send you an email asking credit card details or other personally identifiable information. Providing a complete list of how scammers use phishing techniques could fill an entire volume on its own and even then the list would not be exhaustive. However, for those wishing to learn more in order to better defend yourself the academic paper “Anatomy of a Phishing Email” is more than comprehensive. Hopefully, it will help individuals and organizations better defend against this threat.