21 September 2014

Apple for the day


ZDnet.com has an article about Apple by Larry Seltzer, long a recognized expert in technology, with a focus on mobile technology and security in recent years, for Zero Day:
The news of the new iPhones and the leaked celebrity photos created an atmosphere in which users might act rashly when presented with a message purportedly from Apple.
After a week of big Apple news, it's no surprise that the authors of phishing emails would focus on Apple, and that appears to be what has happened. I have received one myself and read reports of others.
The Internet Storm Center at the SANS Institute reports on one using the "your account is about to expire" hook. The language is awkward and confusing, so even if you missed on any technical clues that it was illegitimate, reading carefully should arouse suspicion. What does this actually mean, other than "click the link"?
"We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access."
The English in the rest of the message isn't much better. As the ISC says, it fits in the usual pattern for phishing, taking advantage of public events (the release of the new iPhones and the leak of celebrity photos).
The message I received is much more professional. I'm very good at spotting these things, but I had to look carefully to notice this one. It claims that the credit card on my Apple ID has been changed; if this was in error I should log in and reset my password at the handy link.
The text of the link is a domain: iforgot.apple.com, which is the genuine site for Apple's password reset page for Apple IDs. The target of the link, as you can see in the nearby image, is actually on a WordPress page on another site (a roofing company in Alabama, one which probably was running an old and vulnerable version of WordPress). It was by hovering over the link in the message in Outlook, which reveals the target of the link, that I became satisfied it was a phish. The phishing page has been taken down.
Everything else about the message is credible and well-written. The address details are for Greece, but if the reader gets that far they are already suspicious. The message itself appears to have originated from the Verizon FiOS network, through a server in Indonesia, and then back to me.
There's not much really new here, but you should remember, and remind others who might not be so alert, to be on the lookout, and not to inherently trust such messages. 
Comments:
All the miscreants need to do now is email Apple iTunes users, both mobile and on the desktop, a malicious mp3 file attachment stating in the body of the email that it is a bonus song for those that recently 'purchased' U2's 'Songs of Innocence' album. Play the file and you are pwn3d.
Rabid Howler Monkey 
If you're a phisher or part of a phishing group, and knew that a big announcement was to be made on a particular day, you should have plenty of time to prepare. Make sure your work looks professional. Make sure all the logos are up-to-date. Get a decent email address to send from, and hide your links adequately. Make sure that your page replicates the page it is supposed to match, and be ready for last-minute changes just in case. There is a lot of work to do if you want people to fall for your bait, but the way companies like Apple do their announcements gives you a timetable to plan to.
And no, I don't expect that this comment is giving phishers any ideas they don't already have.
Postulator 
What with Apple being an American company, it is suspicious that the British spelling unauthorised is used: Americans and Canadians use unauthorized.
Most Americans would not use the "Day/Month/Year" date format. That format is much more common in European countries.
FrankA1963
Apple's increasing market share made it worthwhile target. Apple users should brace themselves for the coming attack on their platform; their security through obscurity is now gone. The faster they learn will help mitigate their vulnerability, particularly the social engineering component of the attack vectors coming their way.
Rico says they still need to figure out how to remotely burn down hacker computers...

No comments:

Post a Comment

No more Anonymous comments, sorry.