AhnLab Security Center


Snow White, that Apple is poisoned!


Recently, some victims have reported attacks by phishing emails containing what could be called “poisoned apples”. This is the latest incident in a long series of persistent attacks delivered via malicious emails disguised as messages from trustworthy companies or government offices.

This article examines a phishing attack that masquerades itself as an email from Apple Inc. 


Figure 1 is an email disguised as an email from Apple. A closer look reveals that the sender’s email address format is different from the official Apple convention. Email from Apple takes the form of account@***.apple.com; for example, appleid@id.apple.com. However, email shown in Figure 1 is sent from ****@inforservices.com which seems plausible but different from official Apple convention.



Figure 1. Phishing scam purporting to be an Apple email


This fake message entices users to log onto a phishing Web page by informing them that their account will be disabled in 24 hours. The URL in the email is double-abbreviated which makes it harder to recognize the original URL. Clicking on the link will take the user to a fake Web page disguised as the official Apple site.



Figure 2. Phishing page (left) / Real page (right)


Comparing the phishing site with the official Apple Web page shows a number of similarities in the image used, message shown on the screen, etc. A closer look, however, reveals that the URL’s domain and security protocol (TLS) are different as shown in Figure 2.


Entering the Apple ID and password in the fake Web page produces a message that tells the user some information for verifying the ID is missing, tricking the user into entering banking and other personal information by clicking the “Unlock Now” button as shown in Figure 3



Figure 3. Message instructing the user to enter personal data


If the user enters the financial and personal information demanded in the screen like Figure 3, the user’s credit card information (card number, CVV number, expiry date) and personal information (name, nationality, address, zip code, birthday, mobile phone number etc.) are transmitted to the attacker. Next, a screen appears for entering the credit card information, as shown in Figure 4; providing the attacker with this additional information may lead to even further damages being inflicted. 



Figure 4. SecureCode information input screen



Figure 5. Regular Apple Sign-in page


Once the user fills out all the blanks including credit card information, he or she is redirected to the regular Apple Sign-in page as shown in Figure 5.


Since the user ultimately ends up logging into the real Apple Web page, he or she may be left unsuspecting what has really occurred. However, it should be noted that a real company would not demand credit card or other excessive amounts of personal information in order to reactivate a dormant account. 


If you have mistakenly entered credit card and personal information via a phishing email disguised as official Apple correspondence, you should immediately block the credit card and prevent further financial damage before it can occur.