OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Beware of phishing attacks

Published April 14th, 2014 at 8:30 PM EDT , modified April 14th, 2014 at 8:31 PM EDT

An opportunity fell right into my lap this evening to remind everyone about the dangers of phishing. Pretty much everyone with an electronic device has at least one online account of some kind. Most people have many accounts, often so many that they have lost track of some of the less important ones. This means that everyone is at risk of receiving some kind of phishing e-mail at some point.

In my case, the “opportunity” came in the form of an official-looking e-mail from “Apple.” According to this message, I needed to complete a security validation, and failure to do so could result in suspension of my Apple ID. The message looked very much like a real Apple e-mail message, and the English was good. (Bad grammar is often a tip-off to a scam.)

Dear Customer,

We need to ask you to complete a short and brief step to securing and validating your account information.

Click here to complete validation

Failure to complete our validation process will result in a suspension of your Apple ID.

We take every step needed to automatically validate our users, unfortunately in your case we were unable to. The process only takes a couple of minutes and will make sure there is no interruption to your account.

Wondering why you got this email?

This email was sent automatically during routine security checks. We are not completely satisfied with your account information and require you to update your account to continue using our services uninterrupted.

For more information, see our FAQ.

Thanks,
Apple Customer Service

Fortunately, I am well acquainted with this scam, although I had never actually seen it before. Even if I hadn’t heard of it, though, there were a number of problems with this message. These are problems that everyone should know to look for whenever receiving this kind of message.

First is the e-mail address. This message came from apple@support.com. Spot the problem? You may not at first… I didn’t, and I was looking for it. Your mind often sees what it expects, rather than what is actually there. It’s very easy for you to look at that address and read it reversed, as support@apple.com. Other common phishing tricks are using addresses like support@app1e.com. (Notice that there’s no ‘L’ in “apple” there – that’s the number one.) Paying close attention to the address is important, but you have to keep in mind that it may take more scrutiny than you might think necessary to spot a discrepancy.

Of course, e-mail addresses can be spoofed. This e-mail message could very well have actually said “support@apple.com” on the From line without actually having been sent from Apple. So looking at the sender address isn’t always a reliable identifier.

Apple ID phishing

Second is to pay attention to the link you’re asked to click. In Mail, you can hover your mouse over the link to see a tooltip containing the address… no need to click the link to find out where it goes. As you can see from the screenshot at right, this link didn’t go to an Apple server. Instead, it goes to a site identified by nothing more than a random IP address. That’s a significant observation, as this means that they’re trying to hide something. In other cases, a lookalike address may be used instead, like amaz0n.com (notice the zero?) or goggle.com (“goggle” is not Google!).

One common mistake that people make is to assume that a link on a URL that is spelled out in the message must go to that URL. For example, consider the following:

http://www.google.com

Clicking that will take you to Google, right? Nope. Give it a try… you’ll end up on Yahoo instead. Pay attention to the link, even if it looks like you shouldn’t have to!

Finally, be aware of the policies of the company the e-mail supposedly comes from. In this case, I know that Apple does not conduct the kind of security checks that this e-mail claims. They will not randomly ask you to verify your Apple ID. In addition, I have enabled two-factor authentication on my Apple ID, which means that I have already verified my Apple ID pretty definitively, and thus the message didn’t really make any sense for me. Because I am familiar with Apple’s behavior and Apple ID security features, it would have been extremely difficult to trick me with this e-mail.

If for some reason you think the request might be legitimate, you still shouldn’t click on any links in the e-mail. Instead, log in to the account in question normally, as you would do so at any other time (such as by clicking a bookmark in your web browser or typing an address into the browser’s address bar). Try to take the requested action there. If you don’t see a way to do so, the e-mail was probably a scam.

In the case of Apple, the appropriate place to go to manage your Apple ID, should that actually be necessary, is appleid.apple.com.

Tags: , ,

12 Comments

  • Federico says:

    Nice post!
    What if you clicked it? I don’t think it would happen anything to you, maybe you would have been ported to another fake page who asks your login information, right?
    Should instead we be worried about only clicking because this could infect our Macs?! I really hope our machines are not turning into Windows ones!
    Please, if you can, answer me, because my father clicked a link like this on a banking services email, but when clicked on Safari, both on Mac and on his iPhone, the system retuned that the server didn’t answered…

    I’m a little worried but the only thing I know for sure is that he didn’t insert any data, anywhere, he only clicked the link.

    • Thomas says:

      At this time, there’s no known malware that is capable of infecting a Mac just by clicking a link. I didn’t click the link, not because I feared infection, but because that long code at the end of the URL probably contained encoded information that would have identified my address to the scammers. If that’s the case, clicking it would tell them, “Hi, guys, I like clicking on links like that one! Can you send me some more?” 😉

      • Federico says:

        Thanks Thomas, that’s what I thought, but hearing it from you is always better!
        What do you think about Mac security right now? Do you really think we are getting worse everyday?
        What a huge work you’re doing here with this blog, it would be wonderful if Apple decided to hire you, thanks again for the fast answer and this precious blog!

        • Thomas says:

          Actually, I think we’re actually in better shape in some ways than we were a few years ago, with regard to malware. Adware is reaching epidemic proportions at the moment, though!

          • Federico says:

            Good news. Adware is more a psychological threat than a computer SW fault to fix and, you know, they’re still working on possible brains transplant… 😉
            It’s about 7 years I changed from Windows to Mac Os X and I’ll never go back but, you know, living so many years before with an “always exposed to risk” machine, leaves behind the fear you will end up worrying for the same things also on your beautiful, new, safe Apple world!
            So I’m always on guard!

  • Ben says:

    Another pointer is the lack of addressing you by name, instead using the generic Dear Customer. I have had three phishing attempts and they all failed because the absence of knowing my name was a strong indicator I was dealing with a stranger. Then I mouse hovered over the link revealing some weird address confirmed the attempt.

    Thanks for the reminder to be wary of PhisherPholk.

  • Judel says:

    I am a dummy and I clicked the link (even though I usually know better). It downloaded an html form, that’s when I knew it was bad because it was asking for way too much info (supposedly from AMEX). I sent it to the trash and deleted from the trash, but should I be scanning my computer now? With what? Thanks!

  • Brian says:

    Thomas: One of the items I teach in our information security awareness program where I work is how to examine the e-mail headers for the real origin of where the e-mail comes from. As you mentioned the From address can be forged; however, the e-mail headers can not. This would have been a good walk-through exercise for this blog post, maybe next time. 😉 -Take care.

  • Win says:

    I clicked on the link and it brought me to an empty page that said Error paged not found. Should I be worried that it has obtain any of my information?

    • Thomas says:

      That probably just means the phishing page has been taken down.

    • Al says:

      > Should I be worried that it has obtain any of my information?

      The only way that any page can obtain sensitive information from you is when you enter it. Observing a web page can’t extract such info so just make certain you are on a legit page before entering anything.

      In the past there have been versions of Java that would allow you to be infected by a phished page and that, in turn, might be able to harvest sensitive information from your computer. That could happen again, so if you have Java installed make sure that it’s fully up-to-date and if you are running an older version of OS X keep it turned off in your browser except when absolutely necessary only during the time you are on a trusted site.

This post is more than 90 days old and has been locked. No further comments are allowed.