{"id":2515,"date":"2024-09-25T18:31:57","date_gmt":"2024-09-25T18:31:57","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2515"},"modified":"2025-07-29T03:50:15","modified_gmt":"2025-07-29T03:50:15","slug":"phishing-campaign-timed-to-take-advantage-of-apple-frenzy","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/phishing-campaign-timed-to-take-advantage-of-apple-frenzy\/","title":{"rendered":"Phishing campaign timed to take advantage of Apple frenzy"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"477\" height=\"318\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/tiny-people-700921_960_720.webp\" alt=\"tiny-people\" class=\"wp-image-2528\" style=\"width:621px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<p>Consumers aren\u2019t the only ones riding the iPhone8 hype wave, hackers are surfing it too. On the same day that Apple officially unveiled its latest release, LMNTRIX\u2019s Cyber Defence Centre discovered an expertly crafted Apple-themed phishing campaign, we believe is designed to take advantage of the frenzy.\u00a0<br><br>Cyber attackers were clearly prepared for the announcement, crafting an extremely sophisticated landing page, designed to trick users into submitting their details after receiving a spoofed \u2018Apple Payment Confirmed\u2019 email.\u00a0<br><br>Below we see the initial email sent to users. Note the grammatical errors and spelling mistakes that typically signify a phishing campaign:\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"858\" height=\"349\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-42.webp\" alt=\"\" class=\"wp-image-2516\"\/><\/figure>\n\n\n\n<p><em>Figure 1. Initial Phishing Email.<\/em><br><br>A malicious PDF attachment was sent along with the email. A URL embedded in the attachment redirects users to the phishing page. This PDF is shown below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"601\" height=\"605\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-40.webp\" alt=\"\" class=\"wp-image-2517\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-40.webp 601w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-40-150x150.webp 150w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<p><em>Figure 2. PDF Attachment with malicious cancellation link<\/em><br><br>Static analysis on the pdf file confirmed the following details:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>MD5<\/td><td>5a92d388ead084e794361eaba850fc6f<\/td><\/tr><tr><td>SHA-1<\/td><td>ce823825fd764b0d3d7254bff0607c55de263bfc<\/td><\/tr><tr><td>File Type<\/td><td>PDF<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>We quickly ruled out the possibility of malicious macros or other scripts. This campaign relies entirely upon a victim following the embedded URL:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Type: \/Action &nbsp;Referencing: &nbsp; &lt;&lt; &nbsp;&nbsp;&nbsp; \/Type \/Action &nbsp;&nbsp;&nbsp; \/S \/URI &nbsp;&nbsp;&nbsp; \/URI (http: &nbsp;&nbsp;&nbsp; \/ \/bit.do &nbsp;&nbsp;&nbsp; \/updateuseraccount-reupdate )<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Above, we see the domain: hxxp:\/\/bit(.)do\/updateuseraccount-reupdate<br><br>To further understand the hosting infrastructure, we executed the pdf in our controlled environment and observed its actions.\u00a0<br><br>The initial email is designed to imitate that of a successful Apple purchase. In order to cancel the purchase, the user is asked to click the phishing link in the attachment. (See figure 2).<br><br>This pdf was crafted as a call to action. The timing of the campaign, together with the vague payment confirmation details in the initial email, lead us to suspect the campaign was deliberately timed with news of the iPhone 8 release. With Apple front of mind for many users, this would entice more victims to open the pdf.\u00a0<br><br>Once opened, the pdf says a SMULE Paid Membership has been purchased. SMULE is a karaoke app. Along with the malicious link embedded in the cancellation code, the Apple purchase code also redirects to the same phishing page.\u00a0<br><br>We then visited the phishing URL:<br><br>hxxps:\/\/secureid.sign-idapple.unathorized-purchase-au(.)com\/<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"737\" height=\"37\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-39.webp\" alt=\"\" class=\"wp-image-2518\"\/><\/figure>\n\n\n\n<p><em>Figure 3 Safe Browsing<\/em><br><br>Below is the fake Apple page:\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"497\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-38-1024x497.webp\" alt=\"\" class=\"wp-image-2523\"\/><\/figure>\n\n\n\n<p><em>Figure 4 Fake Apple Page<\/em><br><br>The full domain is: hxxps:\/\/secureid.sign-idapple.unathorized-purchase-au(.)com\/Login.php?sslchannel=true&amp;sessionid=fp34l6KbOjulpzMePMOo4WtkTWLIFXsUmwYIDJUs2oOrYAGNmvcqrFLkBx3hvwcR3bAHVvaYUYqSy6GU<br><br>Given the highly sophisticated landing page, a victim could be forgiven for believing this was a legitimate Apple page.<br><br>We then visited the parent domain and found the entire domain has been used for phishing purposes with fake pages.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"327\" height=\"253\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-37.webp\" alt=\"\" class=\"wp-image-2527\"\/><\/figure>\n\n\n\n<p><strong>Conclusion and mitigation<\/strong><br><br>Given the hype surrounding all-things-Apple at the time of a new iPhone release, we believe this phishing campaign has been deliberately timed to take advantage of the increased interest.\u00a0<br><br>Blocking the malicious URL will greatly help protect users against this campaign.<br><br>Traditional anti-virus programs won\u2019t detect this sample automatically, the signature must be updated manually by blocking the malicious\u00a0<br><br>IOC: URL: hxxps:\/\/secureid.sign-idapple.unathorized-purchase-au(.)com\/.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Consumers aren&rsquo;t the only ones riding the iPhone8 hype wave, hackers are surfing it too. On the same day that Apple officially unveiled its latest release, LMNTRIX&rsquo;s Cyber Defence Centre discovered an expertly crafted Apple-themed phishing campaign, we believe is designed to take advantage of the frenzy.&nbsp; Cyber attackers were clearly prepared for the announcement, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2528,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2515"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2515\/revisions"}],"predecessor-version":[{"id":4261,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2515\/revisions\/4261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2528"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}