David Harley

Job title:
CEO, Small Blue-Green World, and independent author

Areas of expertise:
Apple security, malware, anti-malware testing, psychosocial aspects of security, user education, email management, social media, medical informatics

The Apple Security Blog, by David Harley David Harley, CITP, FBCS, CISSP, is an IT security researcher, author and consultant living in the UK. He has worked in IT (largely in medical informatics) since the 1980s, increasingly focused on security and anti-malware research since 1989. Between 2001 and 2006 he managed the UK National Health Service’s Threat Assessment Centre, and since 2006 he has provided authoring and consultancy services to the anti-virus industry. Since 2009 he has been a director of the Anti-Malware Testing Standards Organization (AMTSO). He runs the Mac Virus website and AVIEN (the Anti-Virus Information Exchange Network), and is a Fellow of the British Computer Society (now the BCS Institute). He was principle author and technical editor of “The AVIEN Malware Defense Guide for the Enterprise” and co-authored “Viruses Revealed”, as well as contributing to many other books including “OS X Exploits and Defense”. He has a daunting back-catalog of research papers and articles, and also blogs for Mac Virus, AVIEN, ESET (where he holds the title Senior Research Fellow), (ISC)², and numerous other websites.

Tag Cloud



Mac Phisheries

I recently came across a Kaspersky report – Apple of Discord – by Nadezhda Demidova. Primarily, it’s about a dramatic rise in phishing attacks directed at those of us who use Apple devices (presumably including Macs as well as iOS iGadgets). According to the report, Kaspersky’s detections of such sites have risen from around 1000 per day in 2011 to an average of 200,000 per day over 2012 and the first half of 2013. As if that average weren’t scary enough, a graph indicates peaks as high as nearly 940,000 detections in a single day, a phenomenon that Demidova ascribes to concurrence with major Apple events such as the opening of iTunes stores in 56 countries.
Victims are directed via spam messages apparently from Apple – at least, that’s the only vector mentioned in the article – to sites that are crafted to resemble real Apple sites, festooned with links to real pages and objects. The criminals who set them up are clearly interested in iCloud and iTunes contents and credentials, and of course the credit card details associated with those services. As Demidova implies, while modern desktop browsers often make it easier to spot a ‘real’ target address where a legitimate site is being spoofed, those indications are often harder to spot using Safari on an iGadget. (The same may apply to other browsers on other mobile platforms, of course.) 
One good feature of the article is that it includes a number of potential heuristics that might alert the victim to malfeasance. Clearly, inconsistencies in the browser display is one example, and an absence of personalization in phishing emails is another – I think it’s reasonable to expect a company with which you hold an account to know at least your name, rather than just addressing you as ‘Dear’ (or in this case ‘Dears’…). Another is hinted by a screenshot of one phishing form that asks for the victim’s credit card number, merchant, expiration date, card verification code (CVC), date of birth and social security number.
One of the characteristics of many phishing scams is greed about the amount of information they demand.  While this is by no means the worst I’ve seen – some demand something akin to a life history – what is passed off here as ‘necessary’ data for associating a credit card with an Apple ID, is in fact quite enough to kick off a bid for comprehensive identity theft. Phish recognition is considered at much greater length in a paper by Andrew Lee and myself here. It's a little elderly, but the basic principles – i.e., the weaknesses of untargeted phishing – haven't changed much.
Even if you don’t consider Mac malware too important (despite blips like Flashback) and have noticed that there’s virtually no malware that affects iOS users (jailbreaking aside), it’s important to remember that many phishing attacks are platform-agnostic.
PS: The title of this piece is a sly reference to the long-lived but now extinct Mac Fisheries chain of fishmongers. The last of these wet fish shops were closed around the end of the 1970s. Sorry, sometimes my interest in history goes way beyond the history of malware… If you want to know more about Mac Fisheries than Wikipedia has to say, you might try Colin French’s website

Posted 10/07/2013 by David Harley

Tagged under: Apple , phishing , fraud , Kaspersky , Harley , iOS , Mac

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×