Intel Security Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign:
The message pretends to be an email using familiar fields such as FRM, SUBJ, and MSG. According to bit.ly, the shortened URL in the preceding message was created on July 27 and points to a PHP file in a hacked website:
The PHP file redirects victims to another hacked website with a web page that pretends to be from Apple and tells users that their Apple accounts have been temporarily locked and that they need to “safely” re-confirm the account information by clicking on a link that appears to go to Apple:
The fake website also threatens victims with the closure of their accounts if the “verification” is not done before a specific date (in this case July 28, which confirms that the campaign is active). The bogus notice includes a message in red asking readers to mark the message as “Not Spam,” suggesting that this site was initially prepared to target users via email. Users who click on the link are redirected to an “Apple” phishing site that will steal the credentials:
According to bit.ly, the shortened link in the smishing message has been clicked more than 1,700 times, mostly on July 27:
The origin of most of the clicks is from the United States:
Another active campaign started on July 22 with the following SMS:
In this case, the campaign has archived almost 6,000 clicks, most of them on July 22:
Again, most of the clicks are from United States:
Previous campaigns (no longer active) offered more specific messages about the suspension of an Apple account but always used the same email template (FRM, SUBJ, and MSG):
MSG:i>¿Your iTunes has been suspended until this process is completed <phishing_url>
Most of the time cybercriminals do not need advanced exploits and attacks to gain unauthorized access to systems or accounts. A phishing website and message can be enough to obtain credentials from victims and get full access to accounts.
How can you protect yourself from this type of attack? In general be suspicious of any unwanted SMS messages from unknown numbers and think before you click. Do some research and save yourself a lot of grief.