Rotten to the core

We are all used to getting hoax emails, also known as “phishing”, but their sophistication and relevance to newsworthy events continues to increase.

With Apple and iTunes in the news over the last 48 hours, mainly down to leaked (or more correctly hacked and stolen) celebrity photographs from iCloud accounts, it was no surprise that the malware vendors, identity thieves and cyber criminals have jumped on the bandwagon and pretending to be the tech giant from Cupertino, California they are now filling inboxes with fake emails warning of doom and financial loss because our Apple ID accounts (aka iTunes accounts) have been hacked, used or abused.

Yesterday, I received an email stating that my iCloud account had been locked and that I should verify my Apple ID and reset my security answers to unlock it. The email was not “generic”, in that whoever had gone to the trouble of faking it had inserted my email address and name into the body of the message as well (e.g. iCloud Account/Apple ID: [email protected]). Most of the links in the periphery of the email were genuine Apple links, again probably to give the email more credibility and also to help avoid detection from anti-phishing / anti-malware filtering. The only link that was not Apple’s was the “Verify my apple ownership >>>>” link which would have taken me to “myiguru.com” or similar domain. Obviously not Apple – but then Apple don’t send emails like that.

Today’s email was less personalised but considerably cleverer in it’s language, see the copy below. Apart from the (now defunct) “Mac Font”, no doubt added to give realism, it claimed to be a warning from Apple about a purchase on my iTunes account from a device not normally used on that account. It claimed the possibly fraudulent purchase was made from Russia and quoted an “IP Address” confirming that. By usingreverse psychology, the email stated that if I had made this purchase (which of course I would not have) I could relax, but if the purchase was not mine, I should check my Apple ID. Cue link to dodgy site. Interestingly, the URL starts with google.com and although clearly not Apple, google.com domains are not likely to trip off those phishing alerts. The domain was followed however by some clever code that is likely to redirect you elsewhere.

Of course, this is not the first time we have warned against phishing, malware or email links – but the reason for reiterating our advice is simple; these threats are becoming more sophisticated, prey on our fears using clever social engineering and are timely – as more news on the Ebola health threat appears in the news for example, I believe there are payload laden emails on just that subject winging their way to your inbox.

Example of “Apple” email: