Phishing scams often come in waves. Last year it was a phony Google Docs link and a convincing Netflix impersonator, both of which had plagued the internet sporadically for months, at least, before seeing big surges. This month, it's a bogus Apple App Store email that convinces its victims to cough up all kinds of personal information.
First reported by Bleeping Computer , the phishing campaign doesn't contain any especially novel elements, but it executes the basics well enough that it's easy to be fooled.
"They're able to bypass email filters more effectively, since there are no malicious links in the email itself."
Crane Hassold, Agari
If you do so, a prompt tells you that your account has been locked for security reasons, and offers an Unlock Account button. Click it, and you'll be prompted to input your name, address, Social Security number, payment info, answers to common security questions, even your driver's license and passport number. In other words, everything an identity thief could possibly need to upend your life.
In one final clever touch, after you submit your information, the faux Apple site says it will log you out for security—then sends you to a legitimate Apple account management page.
That sort of full-circle approach makes it a terribly convincing phishing effort. It even comes with an implicit narrative: If you get an email about a suspicious app purchase, you might assume your Apple account has been hacked, which in turn might motivate you to "unlock" it by proving your identity.
This particular phishing effort appears to have been around for a while, but it has increased in popularity along with other attachment-based scams. "The likely reason they're becoming more common is because they're able to bypass email filters more effectively, since there are no malicious links in the email itself and the PDF isn't an inherently malicious document," says Crane Hassold, a threat intelligence manager at security firm Agari.
The App Store scam is also indicative of other phishing trends, particularly in terms of how it has propagated. "It's likely a bunch of phishers using a single phishing kit that was created and distributed by a single actor," says Hassold. "That's essentially how the phishing ecosystem works. You have a relatively small number of actors who create phishing kits—the collection of files needed to create a phishing page—who then distribute them through social media, underground forums, or their own vendor webpages."
As in any phishing scheme, there are a few simple ways to keep yourself safe. You can confirm the real identity of an email's sender—in Gmail, by clicking the downward-facing arrow next to your name. And if you need to enter any of your information on a site, for whatever reason, go there by typing the address directly rather than clicking on a link from an email or attachment. And in this specific case, look closely at your URL bar. The scammers apparently haven't put much effort into making them appear legitimate.
Eventually, the App Store phishing scam will give way to another one, just like the Netflix and Google Docs campaigns did. But the tricks it uses won't. So take the lessons now, and be ready use them every time you visit your inbox.
Additional reporting by Lily Hay Newman.
- Dr. Elon & Mr. Musk: Life inside Tesla's production hell
- A guide to all 17 (known) Trump and Russia investigations
- Why we all take the same travel photos
- An Intel breakthrough rethinks how chips are made
- The promise—and heartbreak—of cancer genomics
- 👀 Looking for the latest gadgets? Check out our picks, gift guides, and best deals all year round
- 📩 Want more? Sign up for our daily newsletter and never miss our latest and greatest stories