- Phishers are targeting Apple users with new scams to steal Apple accounts
- Scammers use genuine Apple support emails to trick victims
- Always check by calling Apple and never give out passwords
Would you trust a cold caller claiming to be from Apple if his or her calls contained real messages from Apple’s website? This creates a sense of trust, and it is this sense of authenticity that fraudsters take advantage of by launching an active campaign against Apple users and attempting to steal their account information.
For Apple user Eric Moret, this risk was all too real. As described in Mediocre blog postMoret suddenly received a text message with a two-factor authentication (2FA) password even though he wasn’t trying to log into any of his accounts. A minute later, he received an automated phone call from Apple that read him a 2FA code. Apparently someone tried to get in.
Shortly thereafter, Moret received a call from a number in Atlanta. The caller said he was from Apple Support and explained that Moret’s account was under attack and that another representative would call him shortly. This happened within ten minutes, leading to a “25-minute scam” where the caller guided Moret through the process of resetting her iCloud password.
The cleverest part: the scammer created a real Apple support ticket for Moret and asked him to verify that it was a real Apple email address during the call. The interlocutor seemed calm and professional and everything assured Moret that the process was going well.
Moret was asked to reset his iCloud password, but the caller never asked him to share it. But the next step was crucial: she was told she would soon receive a text “with a link to complete your application.”
This text message came with a link to a fraudulent website: apple-apple.com. This website indicated that the process of securing Moret’s account was underway and all he had to do was enter a code to complete the transaction. He then received a six-digit verification code via SMS, which he entered on the site.
It was the bait and the trigger. Instead of closing the case, the number Moret received was actually a 2FA code that allowed him to access his account. Within seconds of writing, he received an email saying “my blood ran cold.” The email in question informed him that his account was being used to log into a Mac mini, but that he did not have such a device. It was clear that the fraudsters had gained access to your account and therefore to “your entire digital life”, including your files, photos, emails and much more.
To reassure him, the fraudulent caller told Moret that this was all “planned as part of the security process,” but Moret wasn’t convinced. He thought quickly and reset his iCloud password a second time, after which the Mac mini disappeared from his account and the fake website started redirecting to Google. He had escaped the disaster, but just barely.
How to protect yourself against these types of attacks
The attack worked because the fraudsters remained calm throughout and did not rush or pressure Moret, which could have raised his suspicions.
But the real news was Apple’s authentic support email, which exploited a flaw in Apple’s system: anyone can create an Apple support ticket for someone else without authentication. This means that attackers can initiate a procedure using Moret’s email address and send Apple’s support mail there, reinforcing their action.
However, there are ways to protect yourself against these types of attacks. The easiest way is to hang up if you get an unexpected call from someone claiming to work for Apple, then call Apple directly to see if you’re really at risk.
Also, be careful with 2FA codes and never give them to anyone else, even if they claim to be from Apple. Never give these codes over the phone and never give “verification codes” to anyone else. And always make sure a site is a real Apple domain and not one that just uses the company name with other URL elements, as the phishers did in this case.
And if you really want to be safe, use a hardware security key. This requires you to physically connect the device to your computer to verify your identity, something a phisher will never be able to do.