Widespread Apple ID Phishing Attack Pretends to be App Store Receipts


Widespread Apple ID Phishing Attack Pretends to be App Store Receipts (Dec 18, 2018)

A phishing campaign masquerading as a purchase receipt from the Apple "App Store" was attempting to steal Personally Identifiable Information (PII). The email purports that the recipient has made an App store purchase by thanking them in the email body and provides a PDF attachment that supposedly contains additional details about the purchase. The PDF attachment contains links that claim to provide more information regarding the "purchase" and utilize shortened URLs to hide where the links lead to. If a link is followed from the PDF document, a recipient will be directed to a fake Apple ID login page and, if credentials are entered, the user will be presented with a text box that claims that the "Apple ID has been locked for security reasons. You must unlock your account before signing in." If the unlock button is clicked, the user will be asked to fill out various data fields to supposedly unlock their account including: address, date of birth, driver's license number, passport number, payment information, social security number, and various security questions such as mother's maiden name.

Recommendation: Phishing and malspam attacks will increase as online shopping does the same during the holiday season. Educate your employees that "scare tactics," urgent content claiming an account will be deactivated for example, will be a common tactic used by threat actors to steal sensitive information. In addition, known your financial institution's, or other online service that is paid for with a credit card, policies on communicating with its customer about account information can assist in identifying potential scams.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.