Apple ID Scam: Latest Phishing Attack Compromises 100+ Websites With Fake Login Pages

on May 02 2013 2:00 PM

The Apple ID is Apple’s all-encompassing account that plugs into the company’s many services, from retail sites like the iTunes Store and Apple Store to its productivity services like iWork and iCloud. There are great incentives for stealing a user’s Apple ID -- cybercriminals can use your personal information to impersonate you, purchase products or blackmail you -- and security sites have noticed an uptick in phishing sites that try to pirate Apple IDs from unsuspecting users.

apple-id-services Apple's many services, including iCloud, iTunes, iMessage and the App Store, all require an Apple ID to work.  Courtesy / Apple.com

Upon investigating the URLs of some new phishing sites, Tokyo-based security blog Trend Micro discovered that more than 100 different websites had been compromised, but not hacked, to display bogus Apple ID login pages.

“Technically, the sites were only compromised, but not hacked (as the original content was not modified),” said Trend Micro’s fraud analyst Paul Pajares. “It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.”

Most of the pages, like the one embedded below, mimic the Apple ID login page fairly well:

apple-id-phishing-page More than 100 different websites have been compromised to display bogus Apple ID login pages, in order to trick Apple customers into relinquishing their Apple accounts.  Courtesy / Trend Micro

Trend Micro found that all of the phishing sites’ URLs were filed under a folder called ~flight, but upon attempting to access the folder, users were given the following page:

apple-hacked-page Users trying to access the folder that included the URLs of the phishing sites would receive this page.  Courtesy / Trend Micro

In total, 110 sites were compromised by a single IP address -- 70.86.13.17 -- which is registered to an ISP in the Houston area. The majority of these affected sites have not been cleaned, and they continue to show the fake Apple ID login page.

The phishing sites have targeted Apple IDs in a number of different ways -- some simply ask for login credentials, while others require credit card and billing address information. Once users enter their information to these compromised sites, they are presented with a page that essentially tells them that their access has been restored, even though their information has been stolen.

Users are typically directed to these fake Apple ID pages via spam emails, which tell users their Apple accounts will expire unless their information is audited.

One way to identify Apple’s true ID login page from other phishing sites is to check the URL toolbar for the HTTPS signifier, which usually looks like a padlock, next to the name of Apple Inc.

apple-id-legit Legitimate Apple sites will include the HTTPS padlock next to the company's name in the URL toolbar.  Courtesy / Apple.com

For added protection, Apple users are encouraged to utilize Apple’s new two-step verification process, which “reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account,” according to the company.

To set up the two-step verification process for one’s Apple ID, visit appleid.apple.com and select “Manage your Apple ID,” and sign in. Then, select “Password and Security,” and follow the onscreen instructions for “Two-Step Verification.” Apple will then send four-digit verification codes to one of your trusted mobile devices -- either your iPhone, iPad or Mac -- to verify your identity.

More News from IBT MEDIA