Internet con artists quickly jumped on the news of a data breach at Apple's developer website to launch a phishing campaign aimed at relieving users of their online credentials.
The phishing campaign is addressed to Apple customers and masquerades as a confirm-your-account information letter. The message includes a disguised malicious link to a website where sensitive information can be stolen from users.
The campaign is apparently aimed at exploiting the widely-publicized breach of Apple's Development Center website attributed to Turkish security researcher Ibrahim Balic. Although he denies any malicious intent, his downloading of 100,000 user records from the site has been criticized by some security experts as unethical.
"He acted highly unethically by downloading that much data," Ragib Hasan, an assistant professor in the computer and information sciences department at the University of Alabama at Birmingham, said in an interview.
Phishing attacks on Apple users aren't new, although they have been growing in recent years. Nadezhda Demidova, of Kaspersky Lab, reported in June that on an average day, Apple phishing sites attract some 200,000 users. Two years ago, traffic at such sites averaged ,1000 visits per day.
The rise in Apple-themed phishing attacks has been noticed by other security researchers. "Over the past few months, we have seen a constant stream of phishing scams targeting the Apple community," Alex Watson, director of security research at Websense, said via email.
While this week's phishing campaign was crafted to snare Apple users, it wasn't the kind of spear-phishing attack that would be launched by someone with a boatload of stolen email addresses from an Apple website. "The particular scams that we have seen in the past few days appear to be focused on phishing only," Watson said.
"This recent campaign is relatively low volume and not specifically targeted toward Apple users," he added. "In this manner, the recent attacks do not appear to be particularly advanced or novel."
Crafting phishing campaigns that exploit data breaches is standard-operating-procedure for phishers. "We've seen these piggy-back attacks for at least five years," Dave Jevans, chairman and CTO of Marble Security, said in an interview.
For example, Jevans noted, "When a credit card processor gets hacked, we'll see fake emails instructing people on protecting themselves from the breach."
He's also seen campaigns aimed at iTunes account holders. Besides allowing a byte bandit to run up a bill buying music and other media from Apple's online outlet, he noted, compromised iTunes accounts serve another purpose for online thieves.
"You can use it to test the validity of credit cards you got from somewhere else," Jevans explained. If a criminal can complete a transaction at the iTunes Store with a stolen credit card number, they know the number is good and can fence it for more money in the underground market.
Although the recent spam campaign wasn't directed specifically at developers, if it lands in a developer's inbox, it's easy to understand why it might catch them with their guard down: Apple shut down the developer site without warning or explanation for four days.
"With anxious developers waiting impatiently for their portal access to be restored, it is fairly normal for them to have a lack of endurance during this difficult time of no portal access," Tommy Chin, a technical support engineer for Core Security, said in an email.
"After all this downtime," he said, "developers are most likely upset and worried about their account. Therefore, a password reset e-mail that looks like it came from Apple would create a stress-relieving feeling for the developers who can't sleep at night."
While the vulnerability at the developers site became public just this week, no one knows whether hackers had discovered it before Balic. That could have serious consequences because it could allow digital desperadoes to mount "ice phishing" attacks tied to the site.
Ice phishing is similar to spear phishing, but instead of redirecting a target to a bogus website masquerading as legitimate, the target goes to a legitimate website that's been compromised and can infect incoming traffic with malware.
"Many corporations are using browser security technologies with filters that screen out illegitimate websites," Tom Kellermann, vice president of cyber security for Trend Micro, said in an interview. "But in the ice phishing context, a legitimate website is used to avoid those filters.
"What we have to ask [is] was this more than just a snatch and grab of accounts or was it used as a watering hole attack for the 12 hours that it was vulnerable?" Kellermann added. "We have to ask not whether or not we will be phished because we're an app developer, but whether we're already owned by hackers because the site became a watering hole and then an ice phishing reservoir."