Apple IDs Targeted in Botnet Phishing Scam

An image from Lane Splitter, an iOS title the phishing emails claim was illicitly purchased on targets' Apple accounts. Credit: fractiv

(Image credit: An image from Lane Splitter, an iOS title the phishing emails claim was illicitly purchased on targets' Apple accounts. Credit: fractiv)

In the wake of thieves stealing intimate personal photos from more than a hundred female celebrities, many of whom used iPhones, iOS users are concerned about the security of their Apple accounts. Cybercriminals are now preying on those concerns with a new phishing campaign that tries to trick Apple users into turning over their Apple IDs and passwords.

Researchers with Mountain View, California-based security company Symantec said in a blog posting that the Kelihos botnet, which has existed in various forms since 2010, has begun sending emails to Apple account owners claiming that suspicious activity has been detected on their accounts. Naturally, the emails look like they come from Apple's official support center.

MORE: Can You Trust Apple with Your Data?

Phishing emails look legitimate, but are meant to trick users into divulging important personal information. They usually contain some kind of "bait" with which to lure their targets.

In this case, the emails all claim to detect the same "suspicious activity": that the Apple account has been accessed from an IP address in Volgograd, Russia, and used to purchase an iOS game called Lane Splitter. If this were true, Apple would indeed alert its users, so these phishing emails are far craftier than most.

The phishing email goes on to "recommend that you urgently check your Apple ID" and provides a hyperlink that purportedly brings users to Apple's official webpage.

But the phishing emails actually redirect to a phishing website, a Web page that superficially resembles Apple's official site. On it, users are prompted to enter their Apple IDs and passwords. If you do so, you hand them over to the criminals who crafted the page. 

Is this phishing campaign designed to capitalize on the celebrity-nude-selfie thefts? It's possible, but not definite, says the Symantec blog post. It's not the first time phishing campaigns have tried to steal Apple credentials.

To protect yourself from phishing emails, don't click on any hyperlinks in email messages. For example, if you get an email that seems to be from Apple, go to your Web browser and type in Apple's URL yourself, and access your account that way.

You should also closely inspect any URLs contained in strange emails. They may claim to go to a certain Web page, but actually redirect to one with a URL that is just slightly different from what it should be.

The same goes for email addresses; in phishing campaigns, the email addresses will often be a few letters or characters off from the official addresses. In this campaign, the emails display a return address of "datacenter@apple.com," but they're probably spoofed, or forged to look like they're from a legitimate email address.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.