[UPDATED] Phishing Email : [Notice] : Apple Statement account update information login to re-active

I sometimes receive email samples from users (Thank you!)  to analyse. This time it an apple phishing email asking the user to verify her apple account (snippet below)

The email appears to be coming from “94.249.236.102” using SMTP relay of “cloud9-netdesk[.]com” .The latter seems to be using Google as registrar and it’s not live anymore

http://whois.domaintools.com/94.249.236.102
http://whois.domaintools.com/cloud9-netdesk.com

The “Log In” button within the body of the email points the user to a shorten URL service  (in this case “http://ow[.]ly/6O4530buRqh”)

The URL would first redirect the users to  “hxxp://www.instinct-24.de/modules/vm_advancedconfigurator/views/img/backgrounds/cache/link2.php”and eventually to “hxxp://appleid.apple-support-update-account.mulungmak[.]com” which is the apple phishing website trying to steal your apple credentials.

The Phishing domain was registered on the 6th of May 2017

Once the user submits the username and password, an error message would be displayed stating that the account is locked for security reasons and the user must unlock it

Doing so would ask the user to fill in sensitive information such as Name ,card details,address etc in order to verify the account. 

The user’s information would be sent to “http://appleid.apple-support-update-account.mulungmak[.]com/Finish.php”

Trying to visit the same shorten URL (http://ow[.]ly/6O4530buRqh) from the same IP would automatically redirect users to https://appleid.apple[.]com/#!&page=signin which is a valid Apple domain

Update[ 10/5/2017] :  It appears that the same campaign has now slightly changed. The campaign is now taking advantage of another relay server and is sent from a similar email address as before

As before, a shortener URL service is used [http://ow[.]ly/c2M230bAkpI] which after a gateway check points to http://appleid.apple-support-update-account.guadankamu[.]com.  The same gateway is used (http://www.instinct-24[.]de/modules/vm_advancedconfigurator/views/img/backgrounds/upload/link2.php) as before to make sure that users revisiting the shortener URL would be redirected to legitimate apple website

Both domains were registered under the same email address ([email protected][.]com)

Also -to no surprise – the phishing domain was also created in the same day

IOC (updated)

 

Share this Story!Email this to someoneShare on Google+0Share on Facebook8Tweet about this on TwitterPin on Pinterest0Share on Reddit0Share on LinkedIn0

Leave a Reply