It’s not just your bank accounts that online criminals are keen to break into. They would quite like to hijack your Apple ID credentials too.
A number of people have reported receiving a text message from “AppleInc” over the weekend, claiming that their Apple IDs was about to expire – and urging them to click on a link if they wanted to keep it.
Of course, the scammers have chosen their words carefully – making the message appear urgent to encourage as many people as possible to click on the link without properly considering the potential pitfalls.
The scam was probably even more convincing to the unwary as it used the real first name and last name of recipients.
[Name] Your Apple ID is due to be expire today. Prevent this by confirming your Apple ID at [URL] – Apple Inc.
Okay, so perhaps you as a regular reader of a security news site wouldn’t fall for such shenanigans – but are you certain that there isn’t someone amongst your family and friends who wouldn’t be susceptible to a moment of muddied thinking, and click on the link without proper caution?
If they did then they would be greeted with a convincing-looking replica of the real Apple ID login page.
The phoney website pictured above is designed to grab your personal information and pass it straight on to online criminals. They could use those details to commit fraud, or sell your credentials on to other crooks on the computer underground.
That’s obviously even worse news if you have made the mistake of reusing your passwords across the net.
Regardless of what you enter on the username/password screen you will be told that your Apple ID has been “locked for security reasons”.
To unlock your Apple ID, the phishing site then asks you to enter further personal details including your date of birth, telephone number, address, and credit card details. They even have the gall to ask you to give them an answer to a pre-determined security question.
The security question options? “Mother’s maiden name”, “Driving license number” and “Passport number”.
One obvious question remains. Where did the attackers get the list of names and mobile phone numbers from to target their potential victims with the initial phishing SMS message?
Stay safe people, always be wary of the links that you click on – and, if you haven’t already done so, enable two-step verification on your Apple ID account.
Hat-tip: Thanks to reader Andy for forwarding this phishing attack to me.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.