Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Apple Credential Phishing via appleidconfirm.net - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple Credential Phishing via appleidconfirm.net

ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email.

The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials.

Upon submitting what it considers valid credentials, you're redirected to the /?2 page of the site which contains another form which appears to be Apple's site:

At this stage the site is collecting personal details about the account holder which may aid them in making changes to the account or stealing the victim's identity.  After submitting precious personal information, it's now time to give them your credit card information:

Only after supplying a valid Visa, Mastercard, American Express or Discover card number are you forwarded to the /?3 "Success" page.

Finally, after a just a couple of seconds on this page (before you have a chance to click one of the links which are actually a screenshot image of the real Apple site without any functional links) you are redirected to the real apple.com. At this point the attacker would have obtained all the necessary information to exploit the victim, and the victim would have absolutely no idea how this happened. Clever!

Technical Analysis

We're able to observe or infer several things through a quick analysis.

First of all, we can observe that the site is running on PHP:

	Set-Cookie: PHPSESSID=4b2be321acb0eac806780b7cd3ae1ba8;

In the phishing emails, they have a parameter like /e=656d61696c4076696374696d2e656d61696c appended to the URL. Thanks to insight from ISC readers, it's now clear that this is the victim's email as a tracking identifier. (Hex to ASCII)

We can also see that the site is hosted by Lycos with a domain registered just a day ago via Tucows.

Looking at the front-end of the site, we can see that the phishers didn't actually replicate the full HTML/CSS page but rather overlayed screenshots of the real apple.com with forms. This is how they manage to so accurately mimic the appearence of the target site without affording much effort into the front-end development. The background screenshot of apple.com used on their main page can be seen at http://www.appleidconfirm.net/img/main.png

Lastly, we can see that the site is not using HTTPS. This is a key differentiator from the true apple.com login page which does utilize HTTPS. Yet another reason to pay close attention to the URL bar in your browser.

Mitigation

Obviously it's not very difficult to craft a successful phishing campaign, but from a technological standpoint it's difficult to thwart them. So, what can we do? We should invest in awareness through education. That means reconsidering the amount of time and budgeting you set aside to train the less technical staff about phishing and social engineering. Informally, it may be time to sit down with that friend or family member who keeps sending you ads for weight loss because they have fallen victim to the latest phish. Knowledge is power.

Finally, when you see a phish in progress take the time to write a few abuse emails to the relevant providers. (and forward the phish to us!)

Alex Stanford

136 Posts
Please, PLEASE remember to notify malwaredomains.com when sites like this are discovered.

Thanks.
John Hardin

62 Posts
Is there anything in the email message\header that might be used to block this?
John Hardin
1 Posts
Quoting Anonymous:Is there anything in the email message\header that might be used to block this?

The reason I didn't offer any analysis of the email message and headers is because I was never able to obtain them. If anyone does get their hands on a copy of the mail being sent out please feel free to send it in to us.
Alex Stanford

136 Posts
I sent the headers 3/27 9am EDT. Want them again?
Anonymous
I need some tutoring to learn "how to" regarding:

"Finally, when you see a phish in progress take the time to write a few abuse emails to the relevant providers. (and forward the phish to us!)".

In this case the email provider is: googlemail.com. I reported the abuse by providing the source and contents of the phishing email to Google abuse reporting.

If you could let me know which email address I can forward this phishing email to you at ISC, please do so.

The Google submission says they will get back if they need any more info and warn me not to expect any response to the submission.

Thank you very much.

Vish Hebbar

hebbar100@comcast.net

hebbar100@gmail.com
Vish

1 Posts
Quoting Anonymous:I sent the headers 3/27 9am EDT. Want them again?

Yes, please, we're unable to find the email even after looking again with multiple sets of eyes. It's quite possible that it was caught up in a spam filter on our end. Can you try sending the data via the contact form? https://isc.sans.edu/contact.html
Quoting Vish:I need some tutoring to learn "how to" regarding:

"Finally, when you see a phish in progress take the time to write a few abuse emails to the relevant providers. (and forward the phish to us!)".

In this case the email provider is: googlemail.com. I reported the abuse by providing the source and contents of the phishing email to Google abuse reporting.

If you could let me know which email address I can forward this phishing email to you at ISC, please do so.

The Google submission says they will get back if they need any more info and warn me not to expect any response to the submission.

Thank you very much.

Vish Hebbar

hebbar100@comcast.net

hebbar100@gmail.com

As above, the most reliable method to email us is via our contact form. However, you can forward the mail directly to: handlers (at) isc (dot) sans (dot ) edu
Alex Stanford

136 Posts

Sign Up for Free or Log In to start participating in the conversation!