Apple ID Scam: Part 3 - Your Apple ID is on Hold
Sunday, October 25. 2015
One of my honey traps got one interesting one. Typiacally the junk is 419 scams, and with all the variations, twists and quirks, they offer very little worth reporting. I have written posts about Apple ID scams earlier, part 1 and part 2.
This is how the "roper" is trying to lure me in. He chose to impersonate the CEO of Apple Inc, Mr. Cook. Really believable, IMHO.
Here goes:
Dear Customer,
We have detected an unauthorized sign in on your Apple ID (me@my.mail)
We have temporarily locked your Apple ID for your safety.
While your Apple ID is locked access to Apple software and your iCloud is limited.
In order to unlock your Apple ID Account please click here.
Privacy
Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay. And we continue to make improvements. Two-step verification, which we encourage all our customers to use, in addition to protecting your Apple ID account information, now also protects all of the data you store and keep up to date with iCloud.
We believe in telling you up front exactly what's going to happen to your personal information and asking for your permission before you share it with us. And if you change your mind later, we make it easy to stop sharing with us. Every Apple product is designed around those principles. When we do ask to use your data, it's to provide you with a better user experience.
Our commitment to protecting your privacy comes from a deep respect for our customers. We know that your trust doesn't come easy. That's why we have and always will work as hard as we can to earn and keep it.
Tim Cook
CEO, Apple Inc.
Sure, it could have been true. It could be possible, that my Apple ID was put into hold because somebody attempted to hack it, but it wasn't.
Findings:
- The Apple logo in the HTML-version of the e-mail was loading from http://i.imgur.com/zGVkgD1.png. I don't think Apple corporation would do that.
- The link to unlock pointed into http://support.apple.com.en-gb.confirm.id.auth.cgi-key.myapple-unlock.web.user.<THIS-PART-REMOVED>.com, which really doesn't sound something that Apple would use.
- Actually, at the time of writing, entire domain was removed. It's not available, no DNS, no nothing.
- The domain was registered via Todaynic.com, Inc. That is a Chinese domain-company. Really! I'm sure Apple wouldn't use them.
- Registrant for the domain was a private person, allegedly living in Beijing, China.
- The e-mail has following route:
- Original client at Suddenlink Communications DHCP-pool. IP has location of Greenwood, Mississippi, USA
- Mail relay via Power DNN of Omaha, Nebraska, USA
- Google Mail
- Me
- Mail route doesn't make any sense. All my real Apple e-mail originates from Apple directly, not via obscure teleoperators.
I think that's plenty of proof to call that one a fake!