I recently came across a Kaspersky report – Apple of Discord – by Nadezhda Demidova. Primarily, it’s about a dramatic rise in phishing attacks directed at those of us who use Apple devices (presumably including Macs as well as iOS iGadgets). According to the report, Kaspersky’s detections of such sites have risen from around 1000 per day in 2011 to an average of 200,000 per day over 2012 and the first half of 2013. As if that average weren’t scary enough, a graph indicates peaks as high as nearly 940,000 detections in a single day, a phenomenon that Demidova ascribes to concurrence with major Apple events such as the opening of iTunes stores in 56 countries.
Victims are directed via spam messages apparently from Apple – at least, that’s the only vector mentioned in the article – to sites that are crafted to resemble real Apple sites, festooned with links to real apple.com pages and objects. The criminals who set them up are clearly interested in iCloud and iTunes contents and credentials, and of course the credit card details associated with those services. As Demidova implies, while modern desktop browsers often make it easier to spot a ‘real’ target address where a legitimate site is being spoofed, those indications are often harder to spot using Safari on an iGadget. (The same may apply to other browsers on other mobile platforms, of course.)
One good feature of the article is that it includes a number of potential heuristics that might alert the victim to malfeasance. Clearly, inconsistencies in the browser display is one example, and an absence of personalization in phishing emails is another – I think it’s reasonable to expect a company with which you hold an account to know at least your name, rather than just addressing you as ‘Dear’ (or in this case ‘Dears’…). Another is hinted by a screenshot of one phishing form that asks for the victim’s credit card number, merchant, expiration date, card verification code (CVC), date of birth and social security number.
One of the characteristics of many phishing scams is greed about the amount of information they demand. While this is by no means the worst I’ve seen – some demand something akin to a life history – what is passed off here as ‘necessary’ data for associating a credit card with an Apple ID, is in fact quite enough to kick off a bid for comprehensive identity theft. Phish recognition is considered at much greater length in a paper by Andrew Lee and myself here. It's a little elderly, but the basic principles – i.e., the weaknesses of untargeted phishing – haven't changed much.
Even if you don’t consider Mac malware too important (despite blips like Flashback) and have noticed that there’s virtually no malware that affects iOS users (jailbreaking aside), it’s important to remember that many phishing attacks are platform-agnostic.
PS: The title of this piece is a sly reference to the long-lived but now extinct Mac Fisheries chain of fishmongers. The last of these wet fish shops were closed around the end of the 1970s. Sorry, sometimes my interest in history goes way beyond the history of malware… If you want to know more about Mac Fisheries than Wikipedia has to say, you might try Colin French’s website.