Skip to main content

Apple ID Phishing Scam Won't Take Fake Data

At this point, the average Internet user has seen every quick-and-dirty phishing scam in the book and knows how to avoid them. That's why the cons are getting more complex and realistic.

Take, for example, the scam, which provides a near-exact facsimile of Apple's website to part you from your billing information — and even checks to make sure that the email address and credit-card number you give it are real.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

The information comes by way of a blog post from the SANS Institute Internet Storm Center, an American organization that monitors online security. The scam begins when users receive emails purporting to be from Apple, informing them that they need to confirm their Apple IDs and the billing information associated with their accounts.

A link in the email brings them to, which at press time was not reachable. (The URL should be a red flag, as it is not an official Apple website). The site looks identical to Apple's actual login site, and even purports to have a JavaScript protocol in place to verify login info.

The system probably cannot confirm a real username/password combination. However, if you try to enter an invalid email address or a password that doesn't match Apple's parameters, the site will ask you to reenter your information.

From there, the site asks users for their full names, billing addresses and credit-card information. The site can even verify whether the credit card used is real and active, and will demand that the user input a valid one if not. At the end of the process, the site takes users to Apple's official website, leaving them (in all likelihood) none the wiser.

The scam site's realistic appearance is actually a simple trick. Instead of recreating Apple's login page from the ground up, the phishers took screenshots of Apple's pages and overlaid them with invisible text entry boxes. One dead giveaway of the site's inauthenticity is the fact that none of the links work.

Sharp-eyed users will also notice that uses HTTP authentication instead of the more secure HTTPS. Of course, users who pay attention to security protocols are not likely to fall for the fake URL in the first place.

This phishing scam appears to be a very clever one, but you can avoid it the same way you avoid any other scam: Verify that the email address and URL are official company property. If in doubt, check your account status on the company's official website.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.