Now here’s a nifty little phishing attack that targeted me over a two-day period, and this one is both unique and, if you’re not careful, very effective.
On Monday my iPad informed me that I needed to log into my Apple ID account, which I attempted using my Apple ID and password. That attempt was rewarded with an admonition, “This Apple ID has been locked for security reasons,” or something similar to that wording. Apparently, someone attempted multiple logins with my Apple ID and an incorrect password, and Apple took the precaution of locking my account after too many such attempts. I managed to log in my iPad using other contingencies employed by Apple.
It never occurred to me that the actual objective was not to break into my account, but rather to intentionally lock the account for the follow-up attack the next day. Clever.
The next morning I received a security alert email from Apple advising me that my Apple ID account had been logged onto from an I.P. address from Indonesia. Included in the email was a link to verify machines from which my account had recently been accessed. I tapped the link and was taken to an HTTPS site with what appeared to be the Apple ID login page. HTTPS normally means that you’re safe, right? Well, not really. It just means that the communications between your computer and that specific site are encrypted to discourage electronic “eavesdropping” of the conversation between the two computers. Clever.
What I had failed to do was hover over the email link before clicking on it, which if I had would have revealed a bitsy URL link, meaning the real address was hidden behind a URL totally unrelated to Apple. Not clever, but for some reason I fell for it.
At what appeared to be the Apple ID login screen I entered my Apple ID and password, but instead of being logged into my Apple ID account I was instead directed to another screen that asked for my name, address, and other information. By now the phishing scum would have my Apple ID and the associated password, but I now was onto the game when the site also asked for credit card information, date of birth, Social Security Number (oh, come on now . . . really?), etc.
I immediately closed out that window, logged into my Apple ID account, and reset my password since I had just compromised my previous password. I then reported as a phishing scam the offending email with the bogus link.
So, to recap, here’s how this rather ingenious phishing attack works using against Apple its requirement to pair the user’s Apple ID with a functioning email address:
- Day 1: The phisher obtains an email address and checks if that email address is linked to an existing Apple ID account
- Once that link is established, the phisher intentionally makes numerous attempts to log into that Apple ID account until Apple freezes any further attempts
- The account owner is now wary because, obviously, someone made multiple attempts to log into the account until it was locked; this sets up the user for the follow up email the next day
- Day 2: The phisher sends a “security warning” email that appears to be from Apple; the “warning” advises the account owner that his account has been logged into from a foreign I.P. address
- The account owner then lets his suspicions from the previous day override his normal caution, and he “logs into” his Apple ID account through the bogus link supplied in the “security warning” email.
- The phisher then captures the account owner’s password and, if the account owner continues to fall for the phishing attack, other even more critical personal information
This is by far the most sophisticated phishing attack I’ve yet seen, or at least it appears so to me because it’s the only one that’s ever duped me into revealing anything. It’s an extremely fine piece of social engineering that uses a two-pronged con deliberately tailored to instill suspicion on Day 1 of the attack in order to override caution on Day 2 of the attack.
Do not fall for this attack. Just because your Apple ID account was locked does not mean that the attacker managed to break in later. Indeed, the chances are that he has not, and that your account is still secure. Just report as a phishing scam the follow-up email and delete it. If you’re paranoid after the initial Day 1 attack, just check your Apple ID account over the next several days and make sure you still have access. If you do, the phisher has not taken over and changed your password to transfer to him control of your account.
Please help spread the word by linking this article to your friends and family members, as I suspect this is going to be the next big scam.
© 2017 R. Doug Wicker (RDougWicker.com)