At McAfee we recently observed a phishing campaign targeting Apple account holders.
The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page.
Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following images we have highlighted some indicators that the site is not legitimate.
Users are then redirected to the official Apple page.
The phishers usually create a local .zip file that contains all of their scripts to create the phishing page. They upload this file to a compromised server, extract it, and delete the file. On this occasion, the phisher appears to have forgotten to perform this last step.
This oversight enabled us to see how the website code worked; we found some interesting comments.
The .zip file contained a readme that states the results would be stored locally, although this was not the case.
We also found some .htaccess files. These are used to block access to the site by checking the originating IP of the connection. This is done to prevent the site’s being accessed and analyzed by robot scrapers.
Depending on the page a user lands on—credit card, Apple login, or address change—a .php script generates an email and sends it to firstname.lastname@example.org.
In one of the .php files we found a reference a hacktivist group. We did some investigating and found this name had been associated with several website defacings. The group’s activities promote a set of political views, so we suspect that the group was funding its operations through this new phishing scam.
We received another phishing email that was identical to the original one apart from the URL it linked to. It served the same fake Apple page but this time it did not contain the .zip file. We went to the homepage of the compromised site and found it had also been defaced.
This confirmed our view that the original phishing site was hacked by the hacktivist group. It seems that political hackers are now using their skills to generate income to aid their causes.
McAfee customers are protected from this campaign through heuristic definitions and McAfee Global Threat Intelligence reputation.