Active iOS Smishing Campaign Stealing Apple Credentials

Intel Security Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign:

iOS_Smishing_SMS

The message pretends to be an email using familiar fields such as FRM, SUBJ, and MSG. According to bit.ly, the shortened URL in the preceding message was created on July 27 and points to a PHP file in a hacked website:

iOS_Smishing_link1_done
The PHP file redirects victims to another hacked website with a web page that pretends to be from Apple and tells users that their Apple accounts have been temporarily locked and that they need to “safely” re-confirm the account information by clicking on a link that appears to go to Apple:

iOS_Smishing_FakeSite
The fake website also threatens victims with the closure of their accounts if the “verification” is not done before a specific date (in this case July 28, which confirms that the campaign is active). The bogus notice includes a message in red asking readers to mark the message as “Not Spam,” suggesting that this site was initially prepared to target users via email. Users who click on the link are redirected to an “Apple” phishing site that will steal the credentials:

iOS_Smishing_Phishing
According to bit.ly, the shortened link in the smishing message has been clicked more than 1,700 times, mostly on July 27:

iOS_Smishing_clicks1
The origin of most of the clicks is from the United States:

iOS_Smishing_clicks1_countries

Another active campaign started on July 22 with the following SMS:
FRM:apps
SUBJ:New message
MSG:i>¿Urgent!! <phishing_url>
In this case, the campaign has archived almost 6,000 clicks, most of them on July 22:

iOS_Smishing_clicks2
Again, most of the clicks are from United States:

iOS_Smishing_clicks2_countries
Previous campaigns (no longer active) offered more specific messages about the suspension of an Apple account but always used the same email template (FRM, SUBJ, and MSG):

FRM:<number>@text.att.net
SUBJ: New
MSG:i>¿Your iTunes has been suspended until this process is completed <phishing_url>

Most of the time cybercriminals do not need advanced exploits and attacks to gain unauthorized access to systems or accounts. A phishing website and message can be enough to obtain credentials from victims and get full access to accounts.

How can you protect yourself from this type of attack? In general be suspicious of any unwanted SMS messages from unknown numbers and think before you click. Do some research and save yourself a lot of grief.

Leave a Comment

1 × two =