Apple has one of the more gilded consumer brands and the company spends a lot of time and money to keep it that way. Consumers love Apple. Scammers and attackers do too, though, and security researchers in recent months have seen a major spike in the volume of phishing emails abusing Apple’s brand, most of which are focused on stealing users’ Apple IDs and payment information.
Phishing emails playing off of Apple’s brand–or the brands of other major companies such as Amazon, Microsoft, Google and others–are nothing new. Using trusted brands as a lure is the crux of what phishers do. It’s their stock in trade. But in the last few months, scammers have been focusing much of their attention on Apple, especially at times when the company is launching a new product or making a major announcement. Since about the beginning of 2012, the volume of phishing emails purporting to come from Apple has jumped by a factor of about 200, sometimes reaching close to a million per day.
“The scammers make use of phishing sites that imitate the official apple.com site. Since the beginning of 2012 until the present time this has resulted in a significant increase in the number of web antivirus detections triggered by users of our products attempting to visit such sites. During that period we have seen on average around 200,000 detections per day. By contrast, in 2011 the figure stood at around 1,000 detections per day,” said Nadezhda Demidova of Kaspersky Lab in an analysis of the trend.
“On some days the number of web antivirus detections for fake apple.com phishing sites exceeded the daily average by several times. There were a number of peaks, the most significant of which occurred on December 6, 2012 (939,549 detections) and May 1, 2013 (856,025 detections). This periodic surge in cybercriminal activity and the resulting increase in web antivirus detections can be put down to important events in the life of Apple. For example, December’s peak occurred immediately after the iTunes Store opened in Russia, Turkey, India, South Africa and 52 other countries around the world.”
Some of the emails that scammers have sent out in the past playing off of Apple’s brand have been pretty amateurish, as phishing emails can be. But, as Apple and its users have become higher priority targets, the scams have evolved and become more professional, employing emails that look almost identical to the legitimate mail that Apple sends to its customers. A typical phishing email that researchers are seeing today might include the Apple logo at the top and use grammatically correct English and the same kind of phrases that legitimate emails use.
The links in these emails of course lead to malicious sites designed to steal users’ IDs, passwords and credit card information, but the sites often look quite professional now, too. Demidova said that the sites typically mimic Apple’s own site quite well, with the main clue that you’re on the wrong site being the URL in the address bar. But, if a user is visiting the site on a mobile device, she may not be able to see the URL after the initial download.
“However, if the site is opened in a Safari mobile browser on an iPhone or iPad, the user may not look at the address line as it is hidden from view once the page is downloaded. The scammers can also add additional elements to a page such as an image showing an address line with the legitimate address. This element takes the place of the real address line and is meant to trick recipients,” Demidova said.
Image from Flickr photos of H3h.