Phishing targetting Apple users

In recent days, an email that supposedly came from the U.S. Company Apple Inc. was apread. The email was addressed to the company's customers with the subject "Please confirm your information". Below the message:




The email contains two links that redirect to a fake Apple website hosted in Spain. In the message, the user is informed about a procedure that verifies user’s identity in case that he/she have forgotten the password. Below the phishing site home page:




In order to see the behavior of the login form, UNAM-CERT members interact with the web site by clicking on “Forgot your Apple ID” and “Forgot your password” options, with both of them showing the error message "404 Not Found".




As a test, false information was entered on the login form:




Network traffic shows that the request is made using POST method, and the variables that store the data for “Apple ID” and “Password” are “theAccountName” and “theAccountPW” respectively.




Once the user is authenticated in the phishing site, it shows up another form, in which, the site request more information. The image below shows a form filled with fake data:





When the user completes the form and submits it, the goal of the attacker is achieved, obtaining user’s credit card number and security code. Below, in the network traffic, it is showed where the data from the second form is sent:




UNAM-CERT strongly recommends all users to be cautious when receiving emails of supposed offers, confirmation of user accounts, attachments or any other suspicious mail. Even if it comes from a trusted sender, it could be unwittingly spreading malware. As far as possible, users should avoid click on this kind of links or pictures. If the email advertises a deal, UNAM-CERT recommends the use of a search engine, accesing directly to the official website, or contacting the entity by making a phone call.