loader gif

Apple ID phishing attack targets users with fake App Store receipts

Apple ID phishing attack targets users with fake App Store receipts
  • Apple users targeting with phishing emails disguised as purchase confirmation emails from App Store and containing a PDF receipt with phishing links.
  • Victims could end up giving all their personal information to the scammers, enabling them to commit identity theft.

Phishing attacks are the favorite choice of online scammers as seen time and again in multiple attack campaigns. Adding to the list is an ongoing phishing campaign, targeting Apple users with emails disguised as app purchase confirmation emails from App Store.

Bleeping Computer, on Tuesday, reported that the attackers are sending out emails with a PDF attachment designed as a receipt for a $30 app purchase from the user’s account. The email contains a trap link for the user to click if they believe the transaction was unauthorized.

Modus Operandi

The campaign relies on the users to themselves click on the PDF attachment since there is no specific information asking the user to do that. However, just to due mere curiosity or intrigue, most users are bound to open the attachment.

Purchase Confirmation PDF
Source: Bleeping Computer

Once users open the PDF file, they will find multiple links in the file for reporting a problem or if the purchase was unauthorized. All these links go to shortened URLs so it is not immediately clear which sites the links go to.

When the user goes to the link, they will see a page that looks exactly like the Apple ID login page. Though the phishing pages have been designed well enough, the scammers have not taken enough care in using URLs similar to those of Apple’s website.

If users still fall for the trap and enter their login credentials, they will be shown a page with a dialog box stating, “This Apple ID has been locked for security reasons. You must unlock your account before signing in” and it contains an ‘Unlock Account’ button below the message.

Next page stating your Apple ID is locked out and you must unlock it

Source: Bleeping Computer

The scam doesn’t end there. Since the users who fell for it so far will now try to recover their account, the scammers created a phishing page for that too.

On clicking the ‘Unlock Account’ button, the users are redirected to a page which asks the users to verify their personal information for unlocking their account. This is where users may end up giving the scammers their full name, address, telephone number, social security number, date of birth, payment information, and security questions including their mother’s maiden name, driver’s license number, or passport number.

Update account information page

Source: Bleeping Computer

Once the scammers get all the information they want, the users are redirected to a temporary page which tells them that their account verification has been completed and that they will be logged out to restore access to their account. Thus the scam is completed and the users are finally redirected to the legitimate Apple ID login page.

A cherry on the top for the scammers is that Apple’s site shows a message saying “This session has timed out for your security" which makes the entire scam procedure look legitimate to an unknowing user.

Complete Identity Theft

All the users who become victims of this scam essentially enable the scammers to perform identity theft with malicious activities like opening bank accounts, accessing other connected online accounts, or even forging tax returns under the users’ names.

Since many people often use a common password across multiple accounts, the scammers could gain access to multiple online accounts belonging to each of the victims, thus giving them leverage over the victims.

Since this phishing campaign is largely well executed, many users are at a risk of falling for the scam. It is recommended for all internet users to verify the legitimacy of the URLs while visiting any online account and never enter any information on any suspicious pages.

loader gif