The only thing typical about this series of attacks during the last few weeks is the fact it starts with phishing.
A fake Apple email asks you to change your information and directs you to a fake Apple website. After that, the spring 2018 attack shows a disturbing amount of sophistication.
Trend Micro's research team created excellent documentation that reveals what this sophistication looks like.
Without looking at the URL, do you think your employees could spot the fake?
Site #1 - Is this the fake Apple website?
Site #2 - Or is this the fake Apple website?
The correct answer is that site #1 is the fake site. This is where the phishing emails took Trend Micro researchers at first.
After entering your credentials, you are forwarded to this page, which really shows how bad actors are upping their game in phishing and spoofing attacks.
Says Trend Micro: "It had the basic data-input validation, checked if credit card numbers were correct using a basic checksum function that prevents typos, and also verified the numbers and text fields for string length and special characters’ presence. The date, email, name and CVC number fields were also validated for the proper input."
In other words, even if your users were suspicious at first, everything about the site actually looked and behaved like your employees or family members would expect.
After attacks harvest all the information you enter there, you are forwarded to the legitimate Apple ID website, which was image #2 above.
In addition to the spoofed site being so high quality, the Trend Micro team found, "The site was encrypted using Advanced Encryption Standard (AES) to avoid the reputation crawlers and other security countermeasures. Using AES for this kind of obfuscation is unusual for a phishing scam...."
And the use of AES will present an additional problem—it may slip right through some of your detection tools.
"The phishing site was able to bypass some anti-phishing tools incorporated in antivirus solutions for home and business from various vendors.
We verified this threat using the Trend Micro™ Smart Protection Network™ infrastructure. We were able to track the activity of the sender, and this particular email scam was detected between the 23rd of April 2018 and 1st of May, 2018."
Be sure to read Trend Micro's report "New Phishing Scam Uses AES Encryption and Goes After Apple IDs" for the complete case study and related resources.
Then share the comparison of the fake and real Apple ID websites to show end-users how sophisticated cyber's bad actors are becoming.
It might be just the thing that protects your network from the next phishing campaign to hit an employee's inbox.
