Rubica SOC discovers Apple Tech Support Scam

John Benedict Posted: 22 Aug 2019 3 min read

Today, Rubica’s Security Operations Center (SOC) analysts confirmed a widespread Apple Tech Support Scam campaign. This is not a new type of attack, however this specific attack was not blocked by automated rule sets because the attackers tweaked their methods just enough to bypass protection rules. This means that if you only have antivirus protection, this scam could quickly lead to a social engineering attack with the potential for you to lose personal and financial data.

Rubica’s SOC was proactively threat hunting for our customers when we detected the root cause of the attack and has already written new rules into the Rubica Security System. All Rubica customers are protected from this scam.

Details about the Apple Tech Support Scam

A legitimate-looking Apple Tech Support warning would pop-up on the user’s iOS screen, claiming that illegal activity occurred on the user’s device requiring Apple to “lock” their device. In order to unlock your device, the message instructed the user to contact the number on the web page immediately.

This number is not a legitimate Apple Tech Support phone number. Apple does not host security warning web pages. If users call this number, they are likely to face a social engineering attack where they could unintentionally provide the attackers with personal and financial information.

The source of this malicious webpage began with several different adult content sites, where the viewer’s browser was automatically redirected to the malicious page.

This was a phishing attack targeting Apple devices, specifically both iPhone and iPad users.

Mainstream threat blocking rules did not protect against this threat and were not able to block the malicious web page from loading. Meaning, your Antivirus software does not protect you from this scam.

Rubica Security Protection

Every individual customer affected by the Apple Tech Support Scam was personally contacted and assisted by Rubica to remediate the threat. This is part of how we see our SOC-as-a-service.

Upon finding this emerging threat, Rubica’s SOC wrote a rule into our Security Stack in real-time. Now Rubica automatically blocks this threat for all of our customers. Through Rubica’s “herd immunity,” threats blocked for one customer via our proactive threat hunting are then blocked for all customers, building a smarter VPN.

If you do see warnings such as the screen shot above on your device, never call the number or attempt to interact with the web page. Instead, contact Rubica Cybersecurity Analysts for help.

UPDATE:

Thank you to u/nullityrofl for checking our work. Enterprise-grade cyber security technology is capable of detecting known threats such as this. Rubica offers the same enterprise-grade cyber security protection but for the individual user. In this specific case, we observed the “bad guys” reusing TTPs from previous Apple Tech Support scams (see below). We just wanted to point out the cyclical nature of cybersecurity threats and bring awareness to this campaign.

Detected As:

“ET CURRENT_EVENTS Apple Tech Support Phone Scam Jul 07 2017”

“ET INFO Possible Phish – Mirrored Website Comment Observed”

IOCs:

mobappdevelopidea[.]site

emintbc[.]com

160[.]153[.]32[.]102