Apple ID and Credit Card Phishing – Cybersecurity research

Hello.
Today we will be investigating a phishing case.
Usually the attack of this type comes by email.
An email in which there is a text, a problem or a win and a link.
The text is made to make you go to the prepared website.
The link is usually hidden so you can not figure out where you are going and the hoax is easier.

Let’s start with the email I received so you can understand how you can protect yourself.

  1. Re: to what? Is this a response to an email that I sent to Apple? NO! … It’s a trick used to make you open the email believing it’s a response to an email sent by you.
  2. Apple support…. He caught your attention.
  3. Yandex?!? Yandex Browser is a freeware web browser. But it is still important. The Apple CEO sent you an email after he hired Yandex … that’s why he’s CEO .. to send email to users…

A link is hidden behind the button.
t.co is a Twitter shortener URL and behind this link is the true address we reach.

h**ps://t.co/BeOT0WkjXn =>
h**ps://twitter.com/safety/unsafe_link_warning?unsafe_link=https%3A%2F%2Fwia.email%2F =>
h**ps://apple.com.confirmation.account.centre.rin5de.center/

The good part is that when you are redirected …Twitter and Firefox warn you about the link you want to reach.

Let’s ignore everything this time …

What you see is a clone of the Apple website.

I’m not on some  cyber unit… yet…. 🙂
Data entered on the fake page will be stored in the server.
So the hacker will know I’ve been around here.

Even if you log in with real data you will receive the same message to move on.

It will ask you to enter bank details to unlock your account and a identification document.

After all, it redirects you to the real Apple website and you’ll sign in to your unlocked account.
At this point you will be glad you did not lose your account, but in reality you gave to the hacker all your banking data + identification documents.

Still let’s see what’s in the main domain.

h**ps://rin5de.center

Index of/ … apple.com.confirmation.account.centre  here it’s the clone page created( old and still online 24.02.2017).

A cpanel and a hint for recover the password.
153.92.209.145:2083
Username: admin
Password: ?
Email: m—[email protected]—v.com
Name Servers:
ns7.wixdns.net
ns6.wixdns.net

And today…after 10 months online…

The Cpanel(153.92.209.145:2083)

I think the data I’ve entered was also convincing (Insider, cyberunit)

Have fun & Stay safe!!!

 

Alex Anghelus

SC Prodefence SRL CEO - Cyber Security, Pentesting & Ethical Hacking - Malware Analyst

Leave a Reply

SC ProDefence SRL - Cyber Security Services