Hackers launch Apple ID phishing campaign playing on iCloud security worries

The hackers behind the Kelihos botnet are trying to capitalize on users’ increased awareness about the security of Apple online accounts through a new phishing campaign.

According to security researchers from Symantec, the Kelihos botnet has started sending spam emails that purport to be security alerts from Apple informing recipients that a purchase was made using their Apple ID from the iTunes Store. Apple IDs are the accounts that customers use to access Apple’s online services.

The rogue emails bear the subject “Pending Authorisation Notification” and claim that the purchase was made from a computer or a device not previously linked to the user’s Apple ID, the Symantec researchers said Friday in a blog post. The emails list an IP (Internet Protocol) address from where the purchase was allegedly initiated and a corresponding physical location of Volgograd, Russia, they said.

The fake messages instruct users to click on a link if they didn’t initiate the purchase. The link leads to a phishing site that masquerades as the Apple ID log-in page and harvests credentials inputted by users for later misuse.

The use of fake security alerts as phishing bait is not a new technique. However, because this particular attack comes shortly after a widely publicized event where a number of celebrities had their iCloud accounts broken into, it might trick a larger number of users than a typical phishing campaign.

One week ago news broke out that hackers stole nude photographs from the iCloud accounts of a number of female actresses and models and leaked some of them on public websites.

There was initial speculation that the leaks might have been the result of a brute-force password guessing attack via the “Find My Phone” feature, but Apple later said that the leaks were the result of a “a very targeted attack on user names, passwords and security questions” and not that of a breach of the company’s cloud-based systems.

The incident received so much attention online and in the media that it even prompted a response from Apple CEO Tim Cook, who told the Wall Street Journal that the company will start sending security notifications to users via email and push messages when iCloud account changes occur.

“It is possible that the timing of the [phishing] campaign is not a coincidence and the controllers of the botnet are attempting to exploit public fears about the security of Apple IDs to lure people into surrendering their credentials,” the Symantec researchers said.

The Kelihos botnet authors are adept at exploiting current events. In August they launched a spam campaign that encouraged Russian-speaking users to install a program on their computers so they can be used in distributed denial-of-service (DDoS) attacks against Western government websites in response to the recent international sanctions against Russia. The emails actually linked to a variant of the Kelihos malware, not a DDoS program.

To prevent unauthorized access to their accounts even when their user names and passwords are compromised, users are advised to turn on two-step authentication for their Apple ID accounts.