Watch out! There are Apple ID SMS phishers about!

“Your Apple ID is due to be expire today”… yeah, right.

Watch out! There are Apple ID SMS phishers about!

It's not just your bank accounts that online criminals are keen to break into. They would quite like to hijack your Apple ID credentials too.

A number of people have reported receiving a text message from "AppleInc" over the weekend, claiming that their Apple IDs was about to expire - and urging them to click on a link if they wanted to keep it.

Of course, the scammers have chosen their words carefully - making the message appear urgent to encourage as many people as possible to click on the link without properly considering the potential pitfalls.

The scam was probably even more convincing to the unwary as it used the real first name and last name of recipients.

Apple id sms phishing

[Name] Your Apple ID is due to be expire today. Prevent this by confirming your Apple ID at [URL] - Apple Inc.

Okay, so perhaps you as a regular reader of a security news site wouldn't fall for such shenanigans - but are you certain that there isn't someone amongst your family and friends who wouldn't be susceptible to a moment of muddied thinking, and click on the link without proper caution?

If they did then they would be greeted with a convincing-looking replica of the real Apple ID login page.

Apple expired website

The phoney website pictured above is designed to grab your personal information and pass it straight on to online criminals. They could use those details to commit fraud, or sell your credentials on to other crooks on the computer underground.

That's obviously even worse news if you have made the mistake of reusing your passwords across the net.

Regardless of what you enter on the username/password screen you will be told that your Apple ID has been "locked for security reasons".

Locked

To unlock your Apple ID, the phishing site then asks you to enter further personal details including your date of birth, telephone number, address, and credit card details. They even have the gall to ask you to give them an answer to a pre-determined security question.

The security question options? "Mother's maiden name", "Driving license number" and "Passport number".

One obvious question remains. Where did the attackers get the list of names and mobile phone numbers from to target their potential victims with the initial phishing SMS message?

Stay safe people, always be wary of the links that you click on - and, if you haven't already done so, enable two-step verification on your Apple ID account.

Hat-tip: Thanks to reader Andy for forwarding this phishing attack to me.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

34 Responses

  1. Bob

    April 11, 2016 at 4:46 pm #

    Very, very realistic.

    I've spoken with a colleague (who deals with security incidents) and this rogue website should soon be blocked by the major browsers and anti-virus vendors.

    How long it takes for the domain itself to be removed is anybodies guess.

    • Bob in reply to Bob.

      April 11, 2016 at 8:27 pm #

      I am pleased to report that this page is now blocked in Google Chrome, Firefox and other browsers.

      • Dean in reply to Bob.

        April 24, 2016 at 3:54 pm #

        icloudsecuresupport.com is the site I was sent to, it's identical to the above site. The sms I received from 'imessage' had my full name but no number attached, it's all very convincing…so what gave it away as a scam, that's simple, friends and family having appalling apple customer services but most of all how poorly they are made…quite simply,I'll never ever own an apple product.

  2. ME

    April 13, 2016 at 2:26 pm #

    it would be easier to shut down and block the website from domain server.

    • Bob in reply to ME.

      April 13, 2016 at 6:32 pm #

      The Hosting Provider (internet.bs) aren't registered themselves in the UK so it'll be almost impossible for the authorities to have it closed via that route so blocking "from domain server" isn't an option.

      The only other method is blocking via the UK registry (Nominet) but for that they need a court order which can be time consuming.

      It's quickest to get the major vendors to block the site because that provides the best consumer protection.

  3. Doel Jeeks

    April 13, 2016 at 2:34 pm #

    If you run a WhoIs on the domain it gives a name and address based in Brighton. How likely is this to be accurate, generally speaking?

    • Bob in reply to Doel Jeeks.

      April 13, 2016 at 6:29 pm #

      It's false. Generally speaking Whois shouldn't be relied upon unless the domain is owned by a registered company.

  4. Martin

    April 13, 2016 at 5:57 pm #

    I got a txt message from 07478969834 telling me I had missed a message from apple:
    "You have (1) missed message from Apple. CLICK HERE: …"

    take a look here:
    http://who-called.co.uk/Number/07478969834

  5. Amme

    April 16, 2016 at 12:57 pm #

    Just got such a text at 11.45am UK time directing to icloudauth.co.uk. It had my real, full name so this data stolen from somewhere. However, I do not have an Apple Account. Had a look at the site and it's just like your screen shot above. Looked at the registrant on who.is and it is literally registered yesterday, a woman in Chiswick, London, no doubt her details have been stolen. Have reported site to Google phishing page. Site does not come up as dangerous on any of the standard virus checking sites. Cannot identify where the text was sent from.

    • Bob in reply to Amme.

      April 16, 2016 at 5:31 pm #

      Another scam website. It's now been blocked by the major browsers. I doubt the registrant at who.is even exists (i.e. it's unlikely "her details have been stolen") – it's more likely to be a totally fake name/address.

      The 'original' website, as reported in the article (appleexpired.co.uk), has now been taken down permanently.

      • Amme in reply to Bob.

        April 17, 2016 at 10:32 pm #

        she did exist as I found her listed as a company director at that address. It was a private house in Chiswick but the registrant had spelt it as Chisweck. Old listing so maybe she had moved on from there but definitely a real person and a former address at least.

        Glad the reporting process has worked and it got taken down quickly.

        • Bob in reply to Amme.

          April 18, 2016 at 10:38 am #

          That's what I'm getting at – no details have been 'stolen'. The register at Companies House is accessible to the public.

          Whoever registered the website can enter whatever they like for their Whois record: it's notoriously unreliable. You can use a totally fake name and address as they're not properly checked. All that happens is that a marker is put against the name to say 'validated against third party source' or 'unable to validate'.

  6. BXA

    April 17, 2016 at 5:47 pm #

    I received a new message from +44 42 5683 with the url icloudauth.co.uk (already checked the fake WHOIS like above). mine had my "<My Name> <Ex's Name> BF your iCloud ID expires today" which did actually piss me off me a bit because that information is really targeted, theres no information publicly available on the internet regarding my relationship or phone number so I wondered how that information had been obtained.

    I then realised though that its obvious someone has saved my name in their phonebook as that to remember who I was. So its either some rogue app uploading phone book contact info to a server, an exploited app's server or someone who's sync'ed their contacts to outlook and had their PC exploited.

    • Bob in reply to BXA.

      April 18, 2016 at 10:41 am #

      It could be WhatsApp because they upload all your phonebook to their services. Now their new owners Facebook are in charge they are in the ideal position to make 'relationship connections'. I'm not suggesting Facebook sent you the SMS but I consider it more probable that either they or one of their users have been hacked.

  7. Jason

    April 17, 2016 at 10:22 pm #

    How do the scammers know the users name?

  8. AMS

    April 17, 2016 at 10:46 pm #

    Similar to BXA, I received an SMS that contained personal information about me. It said:
    <first name> <occupation> <location> your Apple/iCloud ID has been supsended. Please confirm your details at http://mobileicloud.uk to prevent this action. Apple Inc.
    The phone number it originates from does not display (it just says 'WARNING').
    The most bizarre thing is that both my first name and location were misspelled. I suspected that the information had been taken from someone else's phonebook, but why would that person misspell not only my name but my location?

  9. Steve

    April 17, 2016 at 10:47 pm #

    Had the one in the article a few days ago.
    They seem to be trying again with the next message:
    "ALERT
    (Name) your Apple ID has been deactivated pending termination. Prevent this by confirming your details at http://icloudmobile.co.uk – iCloud"
    Didn't spell my last name right though :p

  10. Mike

    April 18, 2016 at 8:01 am #

    A friend who relies on me for tech guidance has had this too, last night. The domain was mobileicloud.co.uk which was only registered yesterday.

  11. Barney

    April 23, 2016 at 6:08 pm #

    Just happened to me, the tel number this scam/fraud/crim, sent the SMS message from is + 44 25 378
    Just in case the Police are looking into this.

  12. carol

    April 24, 2016 at 2:32 pm #

    Just had a text from that very same number +44 25 378 saying "We have deactivated your Apple ID. To prevent deletion confirm your details at http://icloudsecuresupport.com – iCloud Support." preceded by my full name although spelt wrong which is what made me realise it was a scam.

  13. Andy

    April 25, 2016 at 12:27 pm #

    A builder friend received one of these yesterday – he was addressed 'Joe Builder' in the message, suggesting the names and numbers are actually harvested from previous victims, presumably taken from their compromised iCloud account, allowing the scam to self-propagate. Clever stuff.

    I'd be interested to know if any non-Apple users have received this? If not, there must be some detection method used to identify the target as an Apple user (this was sent as an SMS not an iMessage so that wasn't it).

    • Amme in reply to Andy.

      April 25, 2016 at 12:44 pm #

      I'm not an Apple user so presuming my name was harvested from someone else's phone contacts.

      • Andy in reply to Amme.

        April 25, 2016 at 2:26 pm #

        Thanks for confirming – in which case it looks like this is indiscriminately 'sent to all' listed in the iCloud sync'd contacts, on the basis it will inevitably hit some Apple users.

  14. George

    May 1, 2016 at 3:37 pm #

    Got the same with a new domain appleukwarning.co.uk and this time the sender just says "Apple.com"

    Very real looking especially since it had my first name, it was only the dodgy domain that tipped me off it was a scam.

    I'm guessing they are harvesting details from past victims as offers have suggested. It could also be rogue apps that upload your address book. Happens all the time sadly.

  15. gadget37

    May 1, 2016 at 4:26 pm #

    I received this today pointing me at appleukwarning.co.uk – another icloud clone site.

  16. Razor

    May 18, 2016 at 4:12 am #

    Just got a text message today to tell me my paypal was locked i didnt even bother to open it as i dont have paypal haha

  17. Elliot

    July 29, 2016 at 12:19 pm #

    There's a new one doing the rounds just got a text saying:

    Your apple account had been suspended. Please verify your information ; http://appleid-uk.com

    Website is obviously a phishing site.

  18. Joshua Jones

    August 13, 2016 at 6:27 pm #

    Got a fresh one of these today, also by SMS:

    "Your iAppleID has been suspended because we are unable to verify your information. To unlock it validate your account here: http://bit.do/corNk"

  19. Caroline Gilbert

    August 29, 2016 at 5:35 am #

    Hi I keep receiving text messages from Apple with an Apple I D number is this genuinel who can I call to find out

  20. Santos

    November 8, 2016 at 3:15 pm #

    Today 08/11/16
    Phone message, number 425683?
    apple.id.ukicloud.online
    Apple ID has been "locked for security reasons!

  21. Joann

    December 1, 2016 at 6:01 pm #

    I just received similar text from AppCare – telling me my Apple ID is due to expire – final notice. I was suspicious and didn't log in, then checked it online and a number of warnings about scam texts

  22. Madison

    February 2, 2017 at 1:42 am #

    Do I have to worry if I opened the link (which I did) or just if I entered my information (which I didn't)?

    • Graham Cluley in reply to Madison.

      February 2, 2017 at 8:57 am #

      All of the attacks I have heard about related to phishing information from victims, rather than attempting to infect their devices. So if you didn't enter any information you should be fine. :)

  23. Angie

    August 3, 2017 at 9:30 am #

    how do we stop the texts for your apple ID has been suspended with the link which I havent clicked into and do not have an Apple phone or anything Apple

    I have received 10 texts this morning I delete them and they keep coming AGH!!!

Leave a Reply