Cybercrooks are SMiShing for your Apple Credentials

SMiShing is another one of those fantastic terms on the internet that drives spell-check, autocorrect and English teachers crazy.  SMiShing is related to “phishing” in that it’s an attempt by a cybercriminal to trick an unware person into clicking on a malicious link.  This link could lead to a virus or other type of malware or lead to a site that attempts to trick someone into providing personal information like usernames and passwords.  The difference is that SmiShing is short for “SMS phishing.”  In other words, it’s phishing in the form of a text message.

The mobile research team of McAfee Labs recently uncovered an active SMiShing campaign targeting iPhone users.  The campaign starts with a txt message telling the users that their account has been temporarily locked and that they have to click on a link to unlock the account.  Clicking on the link takes to the user to another site that gives all sorts of ominous warnings about the impending closure of your Apple account.   A link from that page then sends the user to a counterfeit Apple ID login.  Information entered in the “Apple ID” and “Password” fields will be collected by the cybercriminals to gain access to the user’s Apple account.  Since many people reuse their passwords for multiple sites, the credentials collected may find their way into a database of username and passwords to be resold on the Dark web.

How to spot SMiShing

According to our research, this is a campaign that has been changed and repeated a couple times already, so it’s definitely something people need to keep an eye out for.  Let’s take a look at some of the things to watch for to spot a similar SMiShing attack.

1: The method – You’ve probably had to re-enter your iCloud or Apple ID password before on your iPhone or iPad.  Think about how that process went.  DidPicture1 Apple send you a text message letting you know to do that?  No; you were most likely presented with a pop-up telling you to enter your password.  Try this: On your iOS device open the “Messages” app.  Now in the search box, type “Apple.”When I did this, the only text messages from Apple were those telling me an order from Apple had shipped.  I suspect you will have the same results.

2: The content – Phishing (and SMiShing) attacks rely heavily on putting out a large volume of messages in hopes of increasing the chance of getting in front of someone who will actually click on the link.  Oftentimes the cybercriminals will repurpose code from a previous attack.  In this case, you can see the standard email fields of “from,” “subject” and “message.”  Clearly this code was being reused from an email phishing campaign and they didn’t bother to change the content.  When is the last time you got a text with a subject line?

iOS_Smishing_FakeSite3: The webpage – Take a look at the webpage used in this SMiShing attempt.  There are a couple points to notice.  First off, the URL is not Apple.com.  That should be a real give away.  However, the URL isn’t the only clue.  Think about Apple.  The first thing that usually comes to mind is their clean design.  Now take a look at the SMiShing landing page.  Multiple colored fonts and sizes, centered text.  There are all sorts of stylistic issues with this page that would make most Apple designers have a heart attack.

How to stay safe

Phishing and SMiShing are pretty much here to stay and it’s something every person who uses the internet needs to be wary of.  Here are some ways you can be better prepared the next time one of these rolls your way to avoid being compromised.

1: Be Skeptical – It’s important to note that this SMiShing campaign did not involve an actual virus.  It relied completely cybercriminals attempting to trick someone into clicking on a link and giving away their credentials.  By taking a moment to stop and think before clicking a link, you can keep yourself safe from these sort of threats.  If someone sends you a link out of the blue, don’t click it.  If you’d like more tips on suspicious things to watch out for, check out my blog on how to spot a phishing email.

2016-08-01_16-28-062: Go Straight to the Source – If you get an email or a text telling you that you need to verify your Apple ID, don’t click on the link  supplied.
Go straight to your browser and type in appleID.apple.com.  This will take you directly to Apple’s page for managing your account.  If you can’t remember the “appleID” part of the address, just go to Apple.com, click on the bag icon in the top right corner and click “Sign in.” If there’s really a problem with your Apple ID, you’ll find out during the sign in process.

3: Update Your Apps and Device – Phishing campaigns either try to trick you into giving away information or they try to install malware on your device (or both!).  While this particular threat did not use malware, there have been bugs in the past that could be exploited.  Apple has a good track record of quickly releasing security updates when there is an issue, so make sure to always keep your device up to date to help stay safe.

If you’d like more in-depth information on the nuts and bolts of this SMiShing campaign, please read the blog McAfee Labs released a couple days ago.  These sort of threats are here to stay, but a discerning eye combined with good security practices can help keep you safe.

Stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and ‘Like’ us on Facebook.

Stay safe!