Apple ID

Apple ID is an authentication system that is used in many Apple products, including the iTunes Store, App Store, iCloud, etc.

2022: Scammers use phishing for Apple services

On May 17, 2022, the company Group-IB announced the appearance of fraudulent schemes to steal money, data bank cards and Apple accounts under the pretext of paying for and using services, and. Apple Store Apple Pay Over iTunes the past two years, Group-IB experts have found more than 5,000 in the RU zone, domains created for phishing attacks only Russians access to and services iPhone. Apple

As reported, the termination of the Apple Pay contactless payment system in Russia and the difficulties with payment in the Apple Store and iTunes services prompted attackers to create other schemes for stealing money, bank card data and AppleID credentials. For example, as of May 2022, benches actively offer users to replenish an account in the Apple Store and iTunes using special virtual cards for amounts of 1,000 rubles, 2,500 rubles, 5,000 rubles, 5,500 rubles and 6,000 rubles.

AppStore Card

The owners of the service claim that the App Store & iTunes Gift Card allows you to top up your account and purchase allegedly "any virtual content in absolutely all Apple digital stores in Russia": apps and games in the App Store, music and films in the iTunes Store, books in the iBook Store. To make a purchase of a code, you need to enter only email, and when paying - the details of a credit card. However, since the form of payment is phishing, all data and money will fall into the pocket of attackers.

In another case, Internet scammers offer iPhone owners to return the opportunity to pay for goods and services using ApplePay. To do this, the victim is sent a phishing link to the "iCloud service" and, if the user entered his Apple ID data on a fake resource, scammers can access the iCloud, App Store, Apple Music, iMessage, FaceTime.

But against the background of the appearance of fraudulent schemes, specialists from the CERT-GIB Information Security Incident Response Center warn of the activation of phishing associated with the theft of an AppleID account. Usually, fraudsters find the phone number of a person who has lost his iPhone, for example, his smartphone was stolen or lost, and send him fake SMS or messages in the messenger on behalf of Apple Inc technical support or the iCloud service. As a rule, the message says that the iPhone was turned on and the "locator" discovered its location.

At the same time, the link leads to a phishing resource disguised as the official Find My iPhone application, which allows you to find the location of the missing phone or remotely erase all important information. Despite the fact that the message looks plausible, the URL does not correspond to the company website: for comparison, icloud.com and fake icioud.com.

Find My iPhone

To view geolocation data, the owner of the stolen smartphone needs to enter the Apple ID - and if he does, attackers will have access to Apple's cloud services, including photos, documents, and victim messages. If the victim does not respond to SMS messages, they will try to contact her through instant messengers, allegedly on behalf of the Apple technical support bot, and also try to deceive the code to unlock the device.

Another scheme involves the fraudster's direct contact with the victim by phone or in the manager: the stranger allegedly bought or found someone else's iPhone and, when included, saw the number of the former owner. During a conversation or correspondence, the new owner of the smartphone tries to find out the password for unlocking the phone, which "turned into a brick," and promises to thank for the help. However, having received the password, the attacker disappears.

Over the past two years, the CERT-GIB Information Security Incident Response Center has discovered 5283 phishing domains targeting Russian users in the RU zone. However, the scheme itself is much larger - in the world, at least 176,000 fake domains have been created under similar topics for resources that steal credentials.

One of the peaks of registration of fake domain names was recorded on the eve of the presentation of iPhone 13 in September 2021 - scammers tried to use an increased interest in the brand.

As for the mechanics of the process, the fraudulent scheme for May 2022 is already almost completely automated. For example, in thematic forums, the cost of a script for phishing attacks on iCloud is about $100- $150, and the weekly lease of a multi-brand phishing panel is $500. With their help, the novice attacker gets access to a large number of ready-made phishing sites, in which he is only required to send links to the victim, and the stolen credentials "fly" to the Telegram bot.

The scheme with stealing of AppleID is known for a long time and judging from the fact that malefactors register various phishing resources and actively sell phishing tools, it works worldwide and, unfortunately, quite successfully. We notice that in various regions we use our own scripts and scripts - in Russia, for example, fraudsters are trying to use the termination of Apple Pay and the difficulties with adding accounts to the Apple Store and iTunes. noticed Julia Zingan, senior analyst at CERT-GIB

Experts warn of the dangers of targeted phishing and remind you to protect your Apple ID: use two-factor authentication, do not tell anyone your Apple ID password or confirmation codes. Apple Support never requests this information.