14 DAY TRIAL // Spam emails claiming to report an iTunes Store purchase from a device that had not been tied to the Apple ID contain links to phishing websites that ask for Apple credentials.
Researchers from Symantec found that the cybercriminals leveraged Kelihos botnet to distribute the fraudulent messages.
Cybercriminals do not use Kelihos exclusively for sending spam and phishing email; the malware integrates other capabilities too, which include exfiltrating sensitive information, stealing crypto-currency wallets or enslaving the affected machines to mine for digital money.
IP from Russia used for the fake purchase
The subject line of the email reads “Pending Authorisation Notification,” which suggests that the transaction is yet to be finalized.
Apart from the fact that the email alerts of a possible Apple account breach, it also creates urgency for logging into the account to check the details of the purchase by informing that the computer initiating the transaction is located in Volgograd, Russia (the IP address is provided).
All this is just a way to persuade the potential victim to log in with his/her Apple ID using the link provided in the message; it points to a phishing website that collects all the information entered in the form fields.
“This page masquerades as an Apple website and asks the user to submit their Apple ID and password. If the victim does so, the attackers will presumably harvest their credentials for exploit or resale,” Symantec says in a blog post published on Friday.
As far as the alleged purchase is concerned, the message informs that “Lane Splitter” movie was added to the cart, a name which could be invented, since we could not find any reference to it on major movie sites.
Preying on users’ fears after the celeb iCloud account hack
This campaign is most likely trying to exploit Apple users’ worries that their accounts could be compromised by hackers armed with just the username of the victim.
Since the leaked nude photos of celebrities, Apple’s security practices have been analyzed by researchers in order to determine how the perpetrators could break into the famous iCloud accounts.
However, Apple has beefed up its security and now users are notified upon changing an account password, when an iCloud backup is restored to a new device, and when a device logs into the account for the first time.
These measures have been announced by Apple CEO Tim Cook, who told the Wall Street Journal on September 5 that they would be implemented in two weeks.