Apple ID smishing evolves to lure more victims

Smishing is nothing new. We’ve been warning readers of We Live Security about SMS phishing attacks (also known sometimes as SMSishing) for years.

But even if they’re not new, they continue to pose a threat to many smartphone owners and – in some cases – have even been seen to evolve as scammers attempt to trick more users into handing over their precious credentials.

The widespread popularity of Apple technology, in particular iPhones and iPads, has made the smishing of Apple ID passwords a focus area for some criminals.

In a typical campaign, messages are spammed out to smartphone users, containing a link.

smishing examples

The messages will often suggest that your Apple ID has expired, or that your account has been temporarily frozen as a security measure until you have confirmed you are the real owner.

The intent of the scammer is always the same – to dupe you into clicking on a link which goes to a fake Apple ID login page. On that phishing page your Apple ID and password will be grabbed, and – in some cases – the attackers may push their luck even further by asking for your credit card details and other personal information.

And, as you can see from the following screenshot, the phishing sites aren’t just designed to entrap English-speaking Apple users.

icloud-phishing-site

Even if only a small percentage of users are duped into following the scam message’s instructions, the rewards for the attackers can be considerable as they break into accounts, and potentially gain access to your private photographs and messages.

But that’s not to say that those behind Apple ID smishing attacks have turned a blind eye to trying out new variations of their attacks.

For instance, in the following example shared by Twitter user Simon Rae-Scott, the fraudsters seem to have have attempted to make their scam message appear more convincing by including instructions to unsubscribe from future alerts.

sms-optout

Some smishing attacks, such as the following example sent via iMessage to an iPhone user based in Germany, use as bait a message claiming that a lost iPhone has been found.

SMS phishing campaign targeting German phone user

Of course, clicking on the link does not take you to a real Apple webpage.

What is needed, of course, is for there to be greater awareness about the problem of Apple ID smishing, and similar phishing campaigns. Only by educating the public about what can go wrong can we best hope to prevent innocent members of the public from having their own accounts hacked.

Which is why I was pleased to see British TV comedian Al Murray, best known for his “Pub Landlord” character, used Twitter to warn his 400,000+ Twitter followers about a suspicious text message he had received, asking him to click on an obfuscated link and enter his Apple ID login credentials.

Fortunately, Murray was savvy enough to know not to follow the text message’s instructions.

Al Murray tweet

So, if you receive an SMS phish on your smartphone what should you do?

  • Report the URL included in the scam message to Google’s Safe Browsing team. If the URL is found to be phishy then they will ensure that Google Chrome and other browsers are updated to warn internet users of the risk.
  • If possible, report the number that has sent you the phishing SMS to your mobile phone carrier. Some have set up specific numbers through which users can forward any spam and phishing messages they have been sent. Again, this helps protect other users.
  • Don’t reply, and don’t click on the link!

My recommendation for all of those with Apple ID accounts is that they enable two-factor authentication, for an additional layer of protection.

apple-2fa

That way criminals, even if they have managed to steal your password, will find it a lot trickier to break into your accounts.

Although there is probably always more that carriers can do to try to reduce the prevalence of SMS phishing campaigns, and we can all do our bit in reporting scams to mobile phone operators, raising awareness of the threat amongst users and being a little more wary of clicking on links in unsolicited messages seems a great way forward to me.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.