Active iOS Smishing Campaign Stealing Apple Credentials

By on

McAfee Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign:


The message pretends to be an email using familiar fields such as FRM, SUBJ, and MSG. According to, the shortened URL in the preceding message was created on July 27 and points to a PHP file in a hacked website:

The PHP file redirects victims to another hacked website with a web page that pretends to be from Apple and tells users that their Apple accounts have been temporarily locked and that they need to “safely” re-confirm the account information by clicking on a link that appears to go to Apple:

The fake website also threatens victims with the closure of their accounts if the “verification” is not done before a specific date (in this case July 28, which confirms that the campaign is active). The bogus notice includes a message in red asking readers to mark the message as “Not Spam,” suggesting that this site was initially prepared to target users via email. Users who click on the link are redirected to an “Apple” phishing site that will steal the credentials:

According to, the shortened link in the smishing message has been clicked more than 1,700 times, mostly on July 27:

The origin of most of the clicks is from the United States:


Another active campaign started on July 22 with the following SMS:
SUBJ:New message
MSG:i>¿Urgent!! <phishing_url>
In this case, the campaign has archived almost 6,000 clicks, most of them on July 22:

Again, most of the clicks are from United States:

Previous campaigns (no longer active) offered more specific messages about the suspension of an Apple account but always used the same email template (FRM, SUBJ, and MSG):

MSG:i>¿Your iTunes has been suspended until this process is completed <phishing_url>

Most of the time cybercriminals do not need advanced exploits and attacks to gain unauthorized access to systems or accounts. A phishing website and message can be enough to obtain credentials from victims and get full access to accounts.

How can you protect yourself from this type of attack? In general be suspicious of any unwanted SMS messages from unknown numbers and think before you click. Do some research and save yourself a lot of grief.

Categories: McAfee Labs
Tags: ,

Leave a Comment

Similar articles

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from ...
Read Blog
When you think of cybercrime, the first thing that comes to mind is most likely cybercriminals operating on the dark web. Last year, however, cybercriminals made the jump over to social media and cashed in big – $3 billion worth, as a matter of fact. With approximately 2.77 billion people using one social media account ...
Read Blog