Phishing for Apples - a popular cybercriminal sport
Phishing for Apples - a popular cybercriminal sport

Its handsets may be plagued by reports of a bending chassis and operating system updates that cause problems, but with many millions of iPhone 6s already sold, it perhaps comes as no surprise to learn that Apple is the most popular brand in the world when it comes to phishing campaigns.

According to the latest (H1-2014) Global Phishing Survey from the Anti-Phishing Working Group (AWPG), out of 756 brands analysed in phishing campaigns during the first six months of the year, Apple had the dubious honour of being first.

In parallel with this news, reports are also circulating that the quality assurance manager in charge of Apple's bug-ridden iOS 8.0.1 update - which resulted in some iPhone users being unable to make voice calls was also leading a team responsible for much-maligned Maps app launched with iOS 6 some two years ago.

Back in the land of phishing, meanwhile, and Apple's brand - along with its sub-brands, iTunes and iPad - were included in 21,951 of the 123,741 phishing reports that the APWG analysed.

According to Rod Rasmussen, president and CTO of IID and the survey's co-author, as the world's most valuable brand with a massive on-line user base, Apple has always been a phishing target - and with phishers concentrating more and more on online account takeover - consumers' Apple IDs are a tempting target.

"As Apple provides more services and devices tied to one's Apple ID, including the just announced Apple Pay, it is no surprise that phishers are increasing their efforts to fool consumers into divulging their credentials, regardless of additional security measures Apple puts in place to protect their customers," he explained.

Delving into the report shows that cyber-crime gangs are aggressively pursuing brand diversity in their online fraud schemes, spoofing and otherwise leveraging the identities of more than 750 institutions - the highest number the analysts had yet encountered.

"If a site takes in personal data like passwords or credit card information, then phishers may want to exploit it," said Greg Aaron, president of Illumintel and the survey's co-author.

"We're seeing an unprecedented breadth of targets - cloud storage sites, utility companies, business service providers, and real estate brokerages," he added.

The weakest link

Commenting on the APWG report, Tony Marques, a cyber security consultant with the Encode Group, said that the weakest link in the people, process and technology arena is the human.

"Going after the 'privileged' end-user is so much easier. It's a simple numbers game from the phishing attacker's perspective. However, 'process' and 'technology' can come to the rescue: two-factor authentication via the user's mobile for example. User situational awareness coupled with a two-factor authentication process automated with technology has to be the step forward here," he said.

"Users should become accustomed to being notified of an authentication PIN being sent to their mobile as a matter of course," he added.