Apple device owners targeted as rich pickings for SMS phishing scammers

14 Apr 2016

Scammers view Apple users as rich and easy pickings and are targeting them with a phishing attack aimed at getting their Apple IDs and a lot more

Apple device owners are being targeted by an elaborate SMS phishing attack whereby scammers are trying to get their hands on Apple ID account details and a whole lot more.

Users are being warned to be aware of an SMS phishing scam telling users that their Apple ID accounts are about to expire.

The message directs them to a fake site where they are asked to enter their account information.

The scam was brought to light by security blogger Graham Cluley.

Apple’s website also warns users to be vigilant against spoof emails and points out that services like iTunes never ask users to provide sensitive information such as passwords or credit card numbers via email.

Consider the pitfalls before providing information online

Cluley said that, over the past weekend, a number of people have received a text message from “AppleInc” claiming their Apple IDs were about to expire and urging them to click on a link if they want to keep it.

“Of course, the scammers have chosen their words carefully – making the message appear urgent to encourage as many people as possible to click on the link without properly considering the potential pitfalls.

‘One obvious question remains. Where did the attackers get the list of names and mobile phone numbers from to target their potential victims with the initial phishing SMS message?’
– GRAHAM CLULEY

“The scam was probably even more convincing to the unwary as it used the real first name and last name of recipients.”

The users are then directed to a very convincing-looking replica of the real Apple ID login page.

If users fall for it, then the information they provide the phony website will end up in the hands of online criminals who could use their details to commit fraud.

To get more information out of unsuspecting users, the scammers tell them that their Apple ID has been locked for security reasons and then asks them to divulge further information, such as date of birth, telephone number, address, credit card details and even mother’s maiden name, their driving licence number and passport number.

“One obvious question remains,” said Cluley.

“Where did the attackers get the list of names and mobile phone numbers from to target their potential victims with the initial phishing SMS message?

“Stay safe people, always be wary of the links that you click on – and, if you haven’t already done so, enable two-factor authentication on your Apple ID account.”

Anatomy of an SMS phishing scam on Apple users

1.

AppleID-attack-1

Users receive this text message

2.

AppleID_attack-2

If they click on the link they are directed to this phony Apple website

3.

AppleID-attack-3

The website tells them that their Apple ID is locked, encouraging them to divulge even more sensitive information that can then be used for online fraud

Phishing main image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com