FireEye has observed phony Apple domains, registered during the first quarter of 2016, used to execute phishing attacks against Apple iCloud users located in China and the UK, according to a FireEye blog post that details campaigns referred to as Zycode (aimed at Chinese users) and “British Apples Gone Bad” (targeting UK users).
“In the past we have observed several phishing domains targeting Apple, Google and Yahoo users; however, these campaigns are unique as they are serving the same malicious phishing content from different domains to target Apple users,” the researchers wrote, noting that since January they've “observed several phishing campaigns targeting the Apple IDs and passwords of Apple users.”
Since iCloud uses a central Apple ID and an easy interface for information sharing – as well an iCloud Keychain that lets users store passwords and credit card data – “anyone with access to an Apple ID, password and some additional information, such as date of birth and device screen lock code, can completely take over the device and use the credit card information to impersonate the user and make purchases via the Apple Store,” they noted.
Because an encoded string strHTML “goes through a complex sequence of around 23 decrypting/decoding functions that include number system conversions, pseudo-random pattern modifiers followed by XOR decoding using a fixed key or password ‘zycode'” to create the HTML phishing content, the researchers said that “phishing detection systems that rely solely on the HTML in the response section will completely fail to detect the code generated using this technique.”
Users who enter a login and password are redirected to a phony Chinese Apple page, where they're instructed to “Verify your birth date or your device screen lock to continue” then prompted to answer three security questions.
Upon submission, victims receive notice that the IDs have been unlocked. The researchers noted that all of the “domains used the whois privacy protection feature.”
FireEye called a few of the campaigns “particularly interesting” because they employed “sophisticated evasion techniques, geographical targets, and because the same content was being served across multiple domains, which indicates the same phishing kits were being used.”