- Fraudsters abuse Apple’s email domain to send callback phishing messages
- Technique exploits Apple ID creation fields to embed fake purchase alerts
- Victims are tricked into calling fraudsters, who then steal sensitive data or gain remote access.
Scammers have found a way to abuse Apple’s email notification system to send phishing messages and trick people into giving away sensitive data and access to the system.
Recently, people started receiving emails from the email.apple.com domain, informing them of an $899 iPhone purchase through PayPal. The email also shared a phone number that victims could call to “cancel” the order.
These are your usual, run-of-the-mill “callback” phishing emails that trick the victim into calling the provided phone number in a panic. Over the phone, scammers convince the victim to share sensitive information or grant them remote access to their computer. This way, scammers can make wire transfers and ultimately wipe out people’s bank accounts.
Article continues below
Mailing list abuse
What sets this campaign apart is the use of Apple’s email domain. What the scammers actually did was abuse the Apple ID creation process. When creating a new account, the first and last name fields can accept so many characters that scammers can insert an entire phishing message.
Then they change the account’s shipping information, which triggers the Apple security alert. However, this email still does not arrive in the victim’s email, but rather in the scammer’s. The final step is to use a mailing list to distribute the emails to multiple targets.
The mailing list technique is also nothing new. We’ve seen this many times in the past, with big names like Google, Amazon, and Microsoft all being abused in similar ways. Apple was used in a similar way in September last year, when scammers abused iCloud Calendar invites to achieve the same results.
As a general rule, all emails from reputable brands that carry a sense of urgency should be treated with great skepticism. Being asked to call a phone number listed in the email is another red flag. The best way to check for possible issues is to navigate directly to the company’s website and look for contact details there.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
