iPhone Users Warned Over Fake Spotify iTunes Email That Lets Hackers Steal Your Account

It has been reported that iPhone users are being warned over a new scam that tries to steal your Apple login details. It works using a “phishing” email that claims to be from Apple and Spotify, but it’s completely fake. The scam was highlighted on Reddit by a user named /u/the101maham.

Please see below for commentary from several cybersecurity experts.

Steve Giguere, Lead EMEA Engineer at Synopsys:

“With phishing scams like these, the first line of defence is careful observation.  This particular message is almost an ideal lesson in the hallmarks of poorly (but not that poorly) crafted phishing emails.  Spelling errors and/or poor grammar.  Mixed identifiers (Is it Apple or Spotify), and no https on the landing page (should you get that far) are a few of the key giveaways.  You can see, however, that this is only a few minor changes away from looking far more legit, should the attackers be only slightly more diligent.  Having robust endpoint security is an essential part of automating the quarantine process for more convincing email scams in addition to workplace training of employees to raise awareness of how common these attacks are.

Additionally, ensuring your systems are always patched and upgraded is paramount to ensuring that, in the unlikely event that you click a malicious link and are infected with malware, it can do the minimal amount of damage.  Most malware and ransomware strains take advantage of known exploits in operating systems to spread.  Good software maintenance practices can contain what could be a devastating result if systems are left running on outdated software.

It’s also important to know that there is no silver bullet.  Even trained software and security professionals can be caught out by the latest and greatest scam but as education into these types of malicious campaigns spreads, the risks can be mitigated.”

Gavin Millard, VP of Intelligence at Tenable:

“The best advice is to question whether what you’re about to do online, would be something you’d do in the real world. You wouldn’t give your bank account details, passwords or PIN number to someone who approaches you in a dark alleyway, you wouldn’t enter a bank card into an ATM that had obviously been tampered with nor tap a contactless card randomly against a scanner attached to a lamppost in the street. People need to air the same caution in the virtual world as they would in the physical one.”

Paul Norris, Senior Systems Engineer for EMEA at Tripwire:

“Hackers are getting better at creating ways to trick users, and this Apple ID attack is evident of that. Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, which is why individuals should be vigilant of the links and attachments sent to them. If you believe a link, attachment, or file to be suspicious then avoid interacting. However, malicious cyber criminals are preying on human naivety which is why these attacks continue to be used. Granted, it is becoming difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organisations. The best way people can help avoid future attacks is by educating themselves about the risks and consequences of clicking unknown websites, links and attachments.”

Tim Sadler, Co-founder and CEO at Tessian:

“This is an example of a classic phishing scam. Phishing emails, like spam, are bulk in nature but are often pharming for a user’s credentials by mimicking the identity of a trusted website or service — in this case, Apple and Spotify. Like spam, phishing doesn’t discriminate. Anyone individual or business can be targeted and easily duped. While most rudimentary phishing emails are relatively easy to filter out, sophisticated tactics, which are on the rise, can still get through. In addition to vigilance, the best defence against phishing is a machine intelligent solution that automatically prevents attacks by analysing the context and content of inbound email.”

James Hadley, CEO and founder at Immersive Labs:

“As the days are getting shorter, a lot of people will slowly turn to the inevitable Christmas shopping list, so we should expect an increase in consumer phishing emails looking to exploit this seasonal shopping trend.  If you receive an email and you are unsure of its contents, follow these simple rules and you should be able to avoid this prime time for email scams without getting stung.

  • Are you expecting an email from the company?
  • Look at the sender address – Is the email sent from that companies domain?
  • Is the email poorly written? Does it use poor grammar or have an unusual sign off?
  • Does the email ask for personal information which they wouldn’t really need?”

Martin Jartelius, CSO at Outpost24:

“Anyone can make a great looking website, and fraudsters can do the same and create convincing emails. A good indicator is to check if the email was sent from an apple.com email address. Although some may believe that a green padlock is considered an indicator of a real apple page, this is in fact a false assumption. From what is being reported, the depicted attack used a hacked company website with an obscure sub-domain. The attackers could have easily purchased a domain name and gained a valid certificate. What is important is to, if in doubt, actually click the padlock and ensure it is issued to Apple and not to any other company.

These attacks are very common, and a good way to avoid them is to learn to read an address field. In this case we see http://myappleid-confirmcancellation.EXAMPLE.com/. This indicates that this website belongs to the domain EXAMPLE.COM. Domains are formed by subdomain.domain.tld. So, anything after the ‘/’ is irrelevant for trustworthiness and anything left of the domain name is an optional entry controlled by the potential attacker.

This type of fraud is extremely obvious to those adept at reading this line, but for anyone lacking the basic knowledge, it can be rather convincing. The most important take away – the padlock symbol – only means someone on your Wi-Fi is unlikely to be able to see what you submit, but without looking at the certificate, it is a very weak indicator on which to base trust.

So, it’s important to learn to understand how to actually verify integrity, by reading the details or the address correctly.

Without the padlock, you should never trust it to be Apple. With the padlock, you can’t trust it to be Apple without reading the details.

This is far harder on a phone, and hence, reading the address bar correctly is becoming a rather necessary security skill.”