The attack is using sites that spoof the Apple ID login page closely, in an effort to trick users into entering their details online. So far, Trend Micro has identified a total of 110 compromised sites, all hosted at the same IP address registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.
“We’ve seen attacks targeting not only American users, but also British and French users,” the firm said in a blog. “Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen.”
Also, “Upon looking at the URLs, we noted that there was a consistent pattern to the URLs of these phishing sites,” the company noted. “They are under a folder named ~flight.”
Technically, the sites were only compromised, but not hacked (as the original content was not modified). “It’s possible, however, that the sites may be hacked or defaced if the site stays compromised,” Trend Micro noted.
Users may be redirected to phishing sites via spam messages stating the user’s account will expire unless their information is subject to an “audit,” which not only gets users to click on the link, it puts them in a mindset willing to give up information.
“One way to identify these phishing sites is that the fake sites do not display any indications that you are at a secure site (complete with padlock and the “Apple Inc. [US]” part of the toolbar).
“For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to and so on,” Trend Micro said. “Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously.”
To combat being duped, users should enable the two-factor authentication that Apple ID recently introduced, for added protection.