A mobile phishing campaign is spreading via text messages purporting to come from an Apple chatbot – and offering “free trials” of iPhone 12.
The iPhone 12 is due to be released in October, and the buzz is high for Appleheads who are anxiously awaiting the launch. Cybercriminals are taking advantage of this zeitgeist to push a campaign bent on harvesting credit-card details, according to researchers.
The text uses a shipping lure to start out. According to Sophos, it reads: “Dear Christopher, we have your packet in queue. Address: Londonderry, Ballynagard crescent” and contains a link. It’s meant to look like it’s been sent to the wrong number, in hopes that people’s curiosity will get the better of them. Clicking the link triggers an interaction – via multiple texts – with a supposed “Apple chatbot.”
“The scam first shows you some cheery messages from a fake Apple chatbot to tell you why you…had enough luck to be chosen to take part in an iPhone 12 trial, and then it invites you…to join in,” explained Paul Ducklin, researcher with Sophos, in a posting on Thursday.
The texts culminate with a link – the text reads “apple.co.uk/2020/promo” – which takes the target to the browser. There, the person is asked to provide full name and address, supposedly to “verify” that he or she is part of the official Apple pre-release trial group.
“The name-and-address answers…don’t matter a jot,” Ducklin said. “We tried clicking numerous different combinations and, unsurprisingly, the crooks let us through anyway. The questions are there just to provide a plausible connection back to the SMS that was meant for ‘Christopher’ but that reached you instead. It’s as though the criminals are trying to ‘authenticate’ themselves to you, rather than the other way around.”
After providing the name and address, the scam site surfaces a survey – again to provide verisimilitude to the target that the offer is legit. After clicking through six questions, like “do you own any Apple products,” the victim is told that their information is being verified (and a “comments” section on the bottom of the screen shows supposed reactions from those who weren’t chosen and someone saying he thought it was a joke until he received his phone).
Finally, the scam site tells the target, “Congratulations! You qualify for a test group!” and then asks the person to click to confirm his or her info – and after entering an email address, a payment screen comes up explaining that there’s a “courier delivery charge” for the phone, typically between £1 and £2.
“You end up on a credit-card payment form that’s hosted on what looks like a ‘special offers’ website with a believable enough name, and with an HTTPS security padlock if you take the time to look,” Ducklin wrote. “Of course, if you try to pay your modest delivery charge, you are simply handing over your personal data to the crooks, including your full card number and security code.”
The researcher pointed out that the scam is convincing enough to fool the less security-minded. And, the use of texting offers several advantages.
For instance, the format can help hide the grammatical and stylistic issues that often act as red flags in email phishes. Also, shortened URLs are common in texts from legitimate businesses, so crooks can more easily disguise where a link is going to end up.
“Your phone’s operating system will happily recognize when the text in an SMS looks like a URL and automatically make it clickable for you,” Ducklin said. “As a result, text messages that contain one short, clipped sentence that wouldn’t look right in an email, and that contain deliberately disguised links that we might be suspicious of anywhere else…look surprisingly natural when they show up in an SMS.”
Protection against SMS phishing (or “smishing”) comes down to alertness and the old adage that things that seem to be too good to be true, often are. Obviously, there is no free phone. Also, Ducklin noted that people need to start being as wary of texts as they are of emails, and understand that cybercriminals are actively targeting that platform.
“If all you need to transmit is a 6-digit logon code or a ‘pizza driver now 2 minutes away’ notification, SMSes still make excellent business sense,” said Ducklin. “Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing.”