A recently discovered email phishing campaign was found targeting Apple ID credentials, while using AES encryption to thwart active countermeasures against their malicious website.
In a May 10 blog post, researchers from Trend Micro report that between April 23 and May 1 the crafty operators spammed users with emails purporting to be business proposals or warnings about locked accounts. During that time, detections were most common in the U.S. (32 percent), followed by Venezuela (18%) and Germany (14%).
In one example the email falsely informed victims that their accounts were limited due to unusual activity, prompting them to click a button that takes them to a linked page where they can update their payment information. This page appears to be Apple's online log-in page, but it is merely a convincing forgery.
After victims enter their Apple IDs and passwords, the phishing site display a message stating "You account has been locked," along with another button to "Unlock Account Now." Clicking that sends victims to another page where they are asked to verify their accounts by entering personal information and credit card details. Once that information is entered, the victims are sent to the real Apple website.
The criminals behind the website took steps to protect their malicious assets. For starters, they made sure to correctly set their web directory permissions, so that researchers would be unable to access any information from their web server files. Moreover, the adversaries encrypted with site with an AES algorithm.
Therefore, "The only way to spot this threat is via reputation services that identify the sender as malicious," explains the Trend Micro post, authored by researcher Jindrich Karasek. "The unique way that this phishing scam used AES makes it difficult to detect malicious activity. The phishing site was able to bypass some anti-phishing tools incorporated in antivirus solutions for home and business from various vendors."
Still, the campaign did leave some clues of malicious activity for more observant users. For example, a close look at the malicious web pages' URLs clearly showed they were not affiliated with Apple. Also, legitimate emails from companies generally don't ask for sensitive, confidential information.
Trend Micro says the "locked account" scam may be particularly attractive to criminals at this time due to recent GDPR initiatives and data breach incidents that are causing companies to sending emails to users, asking them to update their profiles and boost security measures.
"The emails from the different companies usually look the same, containing a standard greeting and message explaining the reason for updating the policy, as well as a very visible button to click," reports Karasek. "Because many of these emails have been sent -- and continue to be sent -- it comes as no surprise that malicious actors are trying to take advantage of this email wave by sending phishing pages to users. These actors are getting quite good at impersonating major companies, and they usually try to masquerade as legitimate 'user policy update' emails."