Apple issues warnings on iCloud phishing
Following a wave of phishing attacks, Apple has issued an advisory for users of its iCloud service. Apple has also stated that they have not detected any breach of security generally in the iCloud service. However, Apple states that it is “aware of intermittent organized network attacks using insecure certificates to obtain user information”.
Figure A illustrates a typical Apple iCloud phishing Website.
The advisory focuses on safety via the issued digital certificate. Apple warns users that they should take care when logging into iCloud; if they receive a warning that the site is not trusted then they should not proceed with a login. The full details (including screenshots for each of the major browsers) are located on the Apple website.
Attackers have recently gained some notoriety by stealing credentials from iCloud users and using them to gain unauthorised access the victim’s iCloud account. This has allowed the attackers to access the victim’s files, and in some cases, post images of the victim on the internet. High profile victims such as celebrities have been the target of some of these attacks. Jennifer Lawrence was a recent high profile victim of a suspected phishing scam, leading to her account being hacked. Other targets can include individuals who store confidential or sensitive data on iCloud.
The phishing sites in this case do not have a genuine digital certificate, and so are easier to detect. Use of phishing sites to obtain user credentials can still be effective. Even a low tech site such as some of the Apple phishing sites can still garner user credentials. Often users are directed to the phishing sites via phishing emails that are crafted to appear as though they are from a vendor (Apple in this case).