Watch out for the 'Thank You for Your Order' Apple Scam
Some cybercrime campaigns are so effective that every now and again, hackers and online scammers decide to reuse them. This is apparently the case with one of the many phishing scams targeting Apple users. The campaign was first witnessed back in 2016, but researchers from ESET's Latin American arm recently saw it resurface. For the time being, it appears to be targeting Spanish-speaking users only, and it must be said that some of the social engineering used by it is pretty good.
Table of Contents
Phishers try to fool victims into thinking that they’ve bought a wallpaper pack
The emails are designed to look like they come from Apple, and the formatting resembles an invoice. Sure enough, the subject says "Thank you for your order," and the body tells the user that a pack of wallpapers and themes has been purchased through their account. The details are well thought through.
The victims are unlikely to be in a desperate need of a set of wallpapers, especially given the price, which, the email states, is a little over €11. Chances are, the recipient will be eager to click the "Cancel now" link.
The phishing campaign tries to prize tons of personal information from users
If they do, they'll land on what appears to be a very convincing login page, which requests their Apple ID and password. As you might imagine, any data that is entered into the fields is sent directly to the phishers, and normally, they'd be pretty happy with having the victims' login credentials. In this case, however, they have decided to try and get more details from their victims.
After the usernames and passwords are entered, victims see an alert according to which the user's account has been locked due to security reasons. To unlock it, the victim must fill in their physical address, payment details, and even their credit card's security code. Finally, the phishing page tells the user that in order to verify their identity, it's going to need a selfie, and photos of the victim's ID document and credit card.
The campaign has many flaws
The phishers apparently started sending out the fake emails last week, and the domain used to host the phishing pages was registered mere days before the beginning of the campaign. As we mentioned already, however, the rest of the components were first spotted back in 2016, and the scammers' decision to revive this particular phishing campaign is a bit strange because it's not exactly perfect.
Indeed, the social engineering tricks look like they might work, but there are a number of other factors that can make people suspicious. The sheer volume of the requested personal information, for example, could raise quite a lot of eyebrows, and there are classic mistakes that can tip you off.
The phishing page does look convincing, but it's not delivered through HTTPS, which is pretty visible on most modern browsers. What's more, although it looks convincing, the email does contain a couple of grammatical mistakes, and the phishers were apparently too distracted when they were auto-translating the content because although most of the message is in Spanish, one of the paragraphs is in Portuguese.
All in all, this is far from the best phishing campaign we've ever seen, but the fact that the scammers have set it into motion means that they believe it is good enough to catch some people out. Underestimating the threat can bring you nothing but headaches.
