Days after numerous celebrities were found to have their iCloud accounts compromised, a major botnet has turned its attention to Apple customers, launching a phishing email campaign aimed at luring victims into disclosing their Apple ID’s and passwords.

Symantec has observed Kelihos (also known as Waledac) being used to send spam emails purporting to be from Apple, informing the victim that a purchase has been made using their account on the iTunes Store. Samples of the emails discovered by Symantec bear the subject line “Pending Authorisation Notification.” The email says that the victim’s account has been used to purchase the film “Lane Splitter” on a computer or device that hadn’t previously been linked to their Apple ID. The email gives an IP address that was used to make the alleged purchase and claims the address is located in Volgograd, Russia.

Figure 1. Sample of phishing email sent to victims

The victim is told if they didn’t make this purchase, they should urgently check their Apple ID by clicking an accompanying link. This will lead to a shortened URL that in turn directs the victim to a phishing page. This page masquerades as an Apple website and asks the user to submit their Apple ID and password. If the victim does so, the attackers will presumably harvest their credentials for exploit or resale.

Figure 2. The fake Apple website victims are directed to

Exploiting security fears

This campaign is underway just days after news broke of the leak of a large cache of stolen nude photos of celebrities. Some of these photos were leaked when Apple iCloud accounts belonging to celebrities were compromised by attackers who used a variety of methods, such as guessing the answer to security questions to obtain passwords or using phishing emails, to obtain Apple IDs and passwords.

Apple chief executive Tim Cook has said the company will beef up security around its iCloud service after the leak. Cook said that while none of the Apple IDs and passwords were leaked from Apple’s servers, the company will nevertheless now alert customers through email and push notifications when someone tries to change their account password, restore iCloud data to a new device, or when a device logs into an account for the first time.

It is possible that the timing of the campaign is not a coincidence and the controllers of the botnet are attempting to exploit public fears about the security of Apple IDs to lure people into surrendering their credentials. However, this is by no means the first time that attackers have targeted Apple IDs in this fashion.

Protection

Symantec advises users to follow these best practices to avoid becoming victims of phishing attacks.