FireEye has observed phony Apple domains registered during the first quarter of 2016 used to execute phishing attacks against Apple iCloud users located in China and the U.K., according to a FireEye blog post that details campaigns referred to as Zycode (aimed at Chinese users) and “British Apples Gone Bad” (targeting U.K. users).
“In the past we have observed several phishing domains targeting Apple, Google and Yahoo users; however, these campaigns are unique as they are serving the same malicious phishing content from different domains to target Apple users,” the researchers wrote, noting that since January they've “observed several phishing campaigns targeting the Apple IDs and passwords of Apple users.”
Since iCloud uses a central Apple ID and an easy interface for information sharing – as well an iCloud Keychain that lets users store passwords and credit card data – “anyone with access to an Apple ID, password and some additional information, such as date of birth and device screen lock code, can completely take over the device and use the credit card information to impersonate the user and make purchases via the Apple Store,” they noted.
An analysis of the Zycode campaign shows attackers trying to mimic popular Apple websites like iTunes. “Most of these domains appeared as an Apple login interface for Apple ID, iTunes and iCloud,” the researchers wrote. “The domains were serving highly sophisticated, obfuscated and suspicious JavaScripts, which was creating the phishing HTML content on the web page.”
They called the campaign “unique as a simple GET request to any of these domains results in an encoded JavaScript content in the response, which does not reveal its true intention unless executed inside a web browser or a JavaScript emulator.”
Because an encoded string strHTML “goes through a complex sequence of around 23 decrypting/decoding functions that include number system conversions, pseudo-random pattern modifiers followed by XOR decoding using a fixed key or password ‘zycode'” to create the HTML phishing content, the researchers said that “phishing detection systems that rely solely on the HTML in the response section will completely fail to detect the code generated using this technique.”
Users who enter a login and password are redirected to a phony Chinese Apple page, where they're instructed to “Verify your birth date or your device screen lock to continue” then prompted to answer three security questions.
In the U.K. campaign, researchers uncovered numerous Apple domains, “serving the same phishing content.” Browsers are redirected to a URL that “loads a highly obfuscated JavaScript in the web browser that, on execution, generates the phishing HTML code at runtime to evade signature-based phishing detection systems.” Potential victims ultimately led to a phony but realistic-looking Apple page where they're informed that their Apple IDs have been locked and they must unlock them. Once unlock is clicked, a victim is led to a profile.php page and asked to provide personal information such as name, credit card information and security questions.
Upon submission, victims receive notice that the IDs have been unlocked. The researchers noted that all of the “domains used the whois privacy protection feature.”
FireEye called a few of the campaigns “particularly interesting” because they employed “sophisticated evasion techniques, geographical targets, and because the same content was being served across multiple domains, which indicates the same phishing kits were being used.”
