Apple Users Targeted in Phishing Campaign

Apple security

 A cybersecurity firm has uncovered several phishing campaigns targeting Apple users’ credentials – Apple IDs and passwords – since the beginning of 2016.

Cyber criminals are devising faux Apple domains purporting to be legitimate websites to engage in phishing attacks targeting Apple iCloud users in China and the UK, revealed cybersecurity firm FireEye Labs.

In particular, the phishing campaigns are geared to ascertain the Apple IDs and passwords of Apple users.

Provided by Apple, an Apple ID is a centralized personal account that provides customers access to several Apple platforms and services including the App Store, iTunes Store, and iCloud. An Apple ID can be used to access the same features across several Apple devices including an iPad, iPhone, iPod Touch, Mac and even a Windows personal computer.

Apple users will vouch for the iCloud as an essential feature, one which backs up users’ documents, photos, contacts and more to the cloud, in their latest versions. Notably, the iCloud Keychain feature also grants users to store credit card details and passwords, in order to autofill the details on their authorized computers. However, such functionality brings with it, certain vulnerabilities.

For one, anyone with access to an Apple ID, password and information such as date of birth and device screen code can gain total access to the device and the accounts within the device. Such a compromise could mean unauthorized purchases through the stored credit card details from the Apple Store and the App store.

Indeed, FireEye wrote:

Cybercriminals are targeting Apple users by launching phishing campaigns focused on stealing Apple IDs, as well as personal, financial and other information. We witnessed a high frequency of these targeted phishing attacks in the first quarter of 2016.

Apple Users Targeted in China and Britain

One prominent phishing campaign looking to gain Apple users’ credentials was codenamed the zycode kit. Altogether, the campaign spawned over 30 fake Apple domains, purporting to be legitimate Apple domains with an interface mimicking that of Apple’s websites.

A Fake Chinese Apple Website
A Fake Chinese Apple Website


FireEye researchers wrote:

Most of these domains appeared as an Apple login interface for Apple ID, iTunes and iCloud. The domains were serving highly sophisticated, obfuscated and suspicious JavaScripts, which was creating the phishing HTML content on the web page.

This technique is effective against anti-phishing systems that rely on the HTML content and analyze the forms.

British Apple Users are also at risk, with over 86 faux phishing websites canvassed by FireEye since January 2016 alone. This campaign used code obfuscation methods as a sophisticated evasion technique to avoid phishing detection.

A Fake Apple Website Targeting British Users
A Fake Apple Website Targeting British Users
The real Apple domain
The real Apple domain


Typically, the fake website which resembles the authentic page asks for the username and password. When the unsuspecting user enters the credentials, the fake website informs the user that the Apple ID provided has been locked for security purposes, asking the user to unlock it.

The ‘unlocking’ process requires users to enter personal details including name, date of birth, telephone numbers, credit card details, addresses, security questions and more.

After entering the details, the user is asked to wait till verification is complete, before redirecting the user to the authentic Apple website, where the unsuspecting user logs in routinely, none the wiser.

Images from Shutterstock and FireEye.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.