October 8, 2012

Phishing for Apple IDs


The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. An Apple ID allows you to buy new apps, make a customer workshop reservation at an Apple Retail Store, or buy music and multimedia content from the iTunes Store. You can also buy applications for Mac OS X as well as mobile apps for iOS devices like the iPad and iPhone. All these fine services can also be accessed by unauthorized users if they can obtain your credentials. The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID:

The email itself does not display a nice "Apple" look and feel. However, the URL for "reactivating" the Apple ID account (hxxxxxp://apps.apple.com-account-cancel.shellbells.com.au/?/cgi-bin/WebObjects/MyAppleId.woa/) takes a user to a page that looks very much like the Apple style, as shown below:

As sometimes happens, the hosts that hold the phishing domains have an "open directory" (probably due to a configuration issue), which makes it possible to navigate the structure of the path (server side) used to deploy the phishing email, as shown here:

The URL is traced to IP address, where we have detected other phishing domains and hosts:

We have quarantined or rejected hundreds of these types of phishing email messages, which can potentially lead to Identity theft:


Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.