Apple now the most frequently phished brand in the world

News by Steve Gold

Phishing for Apples becomes a popular cyber-criminal sport

Its handsets may be plagued by reports of a bending chassis and operating system updates that cause problems, but with many millions of iPhone 6s already sold, it perhaps comes as no surprise to learn that Apple is the most popular brand in the world when it comes to phishing campaigns.

According to the latest (H1-2014) Global Phishing Survey from the Anti-Phishing Working Group (AWPG), out of 756 brands analysed in phishing campaigns during the first six months of the year, Apple had the dubious honour of being first.

In parallel with this news, reports are also circulating that the quality assurance manager in charge of Apple's bug-ridden iOS 8.0.1 update - which resulted in some iPhone users being unable to make voice calls was also leading a team responsible for much-maligned Maps app launched with iOS 6 some two years ago.

Back in the land of phishing, meanwhile, and Apple's brand - along with its sub-brands, iTunes and iPad - were included in 21,951 of the 123,741 phishing reports that the APWG analysed.

According to Rod Rasmussen, president and CTO of IID and the survey's co-author, as the world's most valuable brand with a massive on-line user base, Apple has always been a phishing target - and with phishers concentrating more and more on online account takeover - consumers' Apple IDs are a tempting target.

"As Apple provides more services and devices tied to one's Apple ID, including the just announced Apple Pay, it is no surprise that phishers are increasing their efforts to fool consumers into divulging their credentials, regardless of additional security measures Apple puts in place to protect their customers," he explained.

Delving into the report shows that cyber-crime gangs are aggressively pursuing brand diversity in their online fraud schemes, spoofing and otherwise leveraging the identities of more than 750 institutions - the highest number the analysts had yet encountered.

"If a site takes in personal data like passwords or credit card information, then phishers may want to exploit it," said Greg Aaron, president of Illumintel and the survey's co-author.

"We're seeing an unprecedented breadth of targets - cloud storage sites, utility companies, business service providers, and real estate brokerages," he added.

The weakest link

Commenting on the APWG report, Tony Marques, a cyber security consultant with the Encode Group, said that the weakest link in the people, process and technology arena is the human.

"Going after the 'privileged' end-user is so much easier. It's a simple numbers game from the phishing attacker's perspective. However, 'process' and 'technology' can come to the rescue: two-factor authentication via the user's mobile for example. User situational awareness coupled with a two-factor authentication process automated with technology has to be the step forward here," he said.

"Users should become accustomed to being notified of an authentication PIN being sent to their mobile as a matter of course," he added. 

Over at Randomstorm, Gavin Watson, who heads up the security firm's social engineering team, said that it is not surprising that Apple is the most phished brand as cyber-criminals have always gone after the most popular domains.

"From our point of view, the most interesting finding in the APWG report is the way in which criminals are broadening the number the companies whose domains are being misappropriated for their phishing campaigns, making it much harder for email recipients to spot phishing attacks," he said.

"We were also interested in the fact that compromised shared virtual servers accounted for a full 20 percent of all phishing attacks this year, with 215 mass break-ins during the first half of 2014, up from 178 mass break-ins during the first half of 2013," he added.

According to Watson, during Randomstorm's social engineering pen tests, he and his team are sometimes asked by clients to carry out phishing email tests.

"In these tests we deliberately include inconsistencies in the email signature, spelling mistakes, or a different domain name, to discover what proportion of the staff spot the spoof attack and report it to the IT help desk. 

"This tells the client quite a lot as they can see whether employees are looking out for phishing emails and reporting them, or whether they are simply ignoring, or, worse, clicking on the links in the test emails. Sadly, our pen tests consistently show that phishing employees is still one of the most effective ways of breaching corporate security, as demonstrated by several major breaches in the last three years," he said.

"The APWG report highlights the fact that even when criminals use quite blatantly fraudulent URLs, people still open the emails, click on links and open attachments, whether they are from Apple or Accounts Payable.

"While phishing remains such an effective vector for harvesting user credentials and accessing corporate networks, criminals will continue to use it. The only way for businesses to combat this is to share information on the latest attacks and to continually train staff to be vigilant," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews