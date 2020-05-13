Deception seeks to steal iCloud ID and users’ financial data.

ESET, a leading company in proactive threat detection, analyzes an old social engineering campaign that returned to activity these days. It is a fraud that seeks to steal the ID and password of iCloud and tries to collect all the personal information of the victim, including data such as his identity document and those of his credit card.

The campaign begins with an email that refers to a security notice due to an alleged purchase order made through your mobile device. The subject of the email says “Thank you for your order” and a date. The detail of the alleged purchase refers to “Themes Guru – Lockscreen Themes & Wallpapers with Creative V1.1 (4+)”, what judging by the name would seem to be a pack of wallpaper-like images to use as cover photos on the phone.

The message that is intended to cause concern to the user and make them proceed to cancel the operation since it is clearly an error in view of the unsuspecting victim. Reports of this same deception dating from 2016 can be found in the Apple support forum.

The first thing the user should do is doubt that the recipient of this message is the sender’s email address since it does not correspond to an official Apple address. Another aspect that should draw the attention of the potential victim is that the message does not contain any type of personal reference to the user (a legitimate message of this type includes, at least, the name of the recipient). Another detail is the wording of the message, since in addition to some grammatical aspects, in some passages there is no idiomatic coherence (there are passages of the text in Spanish and others in Portuguese).

Finally, a point that should give the user certainty that it is a fraud is the link to which they are invited to access. To obtain information from the URL without having to access it, simply place the mouse pointer over the text passage that contains the hyperlink. If you have a mobile device at hand, by pressing your finger on the text passage containing the link for a few seconds, the detail of the URL will appear, without having given the order to open it.

The link does not point to an official Apple site. However, if the user falls into the deception and advances, you will be redirected to a site that almost perfectly mimics the official page to access the Apple ID account. However, in addition to being a site that does not have an SSL certificate, the name of the new URL does not have to do with the official address.

After entering the credentials to access the service to the operators of this campaign, an alert message appears to the victim requesting to unlock the account to log in. The goal is to steal more personal information from the victim.

In case of clicking on the button “Unlock account” a form will appear for the victim to enter their personal information, such as an address, country, etc. Once it gets the credit card details, the campaign tries to give credibility to the scam using, among other things, supposed third-party security services, where they ask for a security code again.

In addition, the victim is asked to send a photo of a document to confirm the data. In this instance, it also requests the sending of an additional photo of the individual, as well as a photograph of the front and back of the credit card. After submitting virtually all personal information, the system allegedly verifies and confirms the identity of the user. It should be noted that for the analysis of this campaign, photos of different landscapes were uploaded in each instance, and even so the deception claimed to have verified the identity successfully.

“As we always say, when there is the slightest doubt about the legitimacy of the email, we should never click on the link that is included in a message that arrives unexpectedly. Above all, without first verifying its origin and verifying that it is from an official site. On the other hand, if you were the victim of this deception and shared your personal information, we recommend modifying your access credentials and contacting your financial institution. It is important to know the risks in order to avoid them and take the necessary measures such as keeping the systems updated, using strong passwords or double factor authentication, whenever possible, having a reliable security solution for both mobile and desktop devices. and thus be able to enjoy technology safely. ”says Luis Lubeck, security specialist at the ESET Latin America Research Laboratory.