- Scammers abuse Apple email domain to send callback phishing messages
- Technique exploits Apple ID creation fields to insert fake purchase alerts
- Victims are tricked into calling scammers, who then steal sensitive data or gain remote access
Scammers have found a way to abuse Apple’s email notification system to send phishing messages and trick people into revealing sensitive data and system access.
Recently, people began receiving emails from the email.apple.com domain, notifying them of an $899 iPhone purchase through PayPal. The email also shared a phone number that victims could call to “cancel” the order.
These are the usual “callback” phishing emails that trick the victim into calling the provided phone number in a panic. While talking on the phone, scammers convince the victim to share confidential information or grant them remote access to their computer. That way, scammers can make bank transfers and ultimately liquidate people’s bank accounts.
Article continues below.
Mailing List Abuse
What sets this campaign apart is the use of Apple’s email domain. What the scammers really did was abuse the Apple ID creation process. When creating a new account, the first and last name fields can accept so many characters that criminals can enter an entire phishing message there.
Then, they change the account shipping information, which triggers Apple’s security alert. However, that email still does not reach the victim’s email, but rather the scammer’s. The last step is to use a mailing list to distribute emails to multiple targets.
The mailing list technique is nothing new either. We’ve seen this numerous times in the past, with big names like Google, Amazon and Microsoft all being abused in the same way. Apple was used in the same way in September last year, when criminals abused iCloud Calendar invitations to achieve the same results.
In general, all emails that come from well-known brands and carry a sense of urgency should be treated with great skepticism. Being asked to call a phone number listed in the email is another red flag. The best way to check for potential problems is to navigate directly to the company’s website and look for contact information there.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
