Researchers at Symantec spotted a phishing campaign targeting Apple IDs in the days after it was discovered a number of celebrities had their accounts compromised.
According to Symantec, the Kelihos botnet (also known as Waledac) was being used to spam emails purporting to be from Apple. Recently, Kelihos was also involved in attacks targeting Russian victims by playing to anti-Western sentiments.
In the Apple-related case, the messages blasted out by the botnet tell the recipient that a purchase was made using their iTunes account. The emails had the subject line “Pending Authorisation Notification.”
“The email says that the victim’s account has been used to purchase the film “Lane Splitter” on a computer or device that hadn’t previously been linked to their Apple ID,” the Symantec Security Response Team explains in a blog post Sept. 5. “The email gives an IP address that was used to make the alleged purchase and claims the address is located in Volgograd, Russia.”
The messages told the victim if they didn’t make the purchase, they should check their Apple ID by clicking on the accompanying link. The link however led the victim to a phishing disguised as an Apple website that prompts the visitor for their Apple ID and password. If the victim did so, the attackers would be able to leverage the credentials to compromise the account or for resale.
Symantec told SecurityWeek today that it does not have any information suggesting the campaign is still ongoing. The discovery however came on the heels of news that nude photos of a number of celebrities had been stolen from Apple iCloud and posted online.
Apple has said that none of the compromises resulted from a breach of Apple’s Systems, including iCloud or Find my iPhone. Instead, the company attributed the situation to a targeted attack on usernames, passwords and security questions focused on celebrity accounts.
In light of the incident, Apple CEO Tim Cook has said the company will improve security around the iCloud data storage service by among other things alerting customers through email when someone tries to change their account password or restore iCloud data to a new device.
“As long as people click on links in emails and open attachments attackers will exploit this weakness to gain a foothold in corporate networks,” said Rohyt Belani, CEO of security firm PhishMe.
“Organizations have to realize that no technology will block all phishing or detect all malware, so while it’s important to deploy the right network and endpoint protection technologies, you will still have to rely on humans to recognize and defend against threats that reach their inboxes,” he added.
