Deceptive Tactics: Exploiting Apple Account Change Alerts for Phishing Scams

Apple users are being targeted by cybercriminals who are exploiting Apple account change notifications to send fake iPhone purchase phishing scams. These fraudulent emails are disguised as legitimate notifications from Apple, making them more convincing and potentially able to evade spam filters.

A concerned reader shared an email with BleepingComputer that initially appeared to be a routine Apple security notification informing them of an account update.

However, upon closer inspection, the email contained a phishing attempt claiming that an unauthorized $899 iPhone purchase had been made through PayPal. The email also included a phone number for the recipient to call and cancel the supposed transaction.

The phishing email text read, “Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761.” It then proceeded to list supposed changes to the recipient’s Apple account, including shipping information.

These deceptive emails aim to create a sense of urgency and trick recipients into believing their accounts were used for fraudulent purchases, prompting them to call the provided phone number for assistance.

Typically, when victims call the number, scammers manipulate them into thinking their accounts are compromised and may request the installation of remote access software or financial details.

Previous callback phishing schemes have resulted in financial theft, malware deployment, and data breaches through remote access gained via such methods.

Exploiting Apple Account Notifications

This campaign highlights how cybercriminals are adapting their strategies by leveraging legitimate features on websites for malicious purposes. By utilizing Apple’s own infrastructure, attackers are able to send emails from addresses like appleid@id.apple.com that pass authentication checks, giving the appearance of legitimacy.

        dkim=pass header.d=id.apple.com header.i=@id.apple.com header.b=o3ICBLWN

spf=pass (spf.icloud.com: domain of uatdsasadmin@email.apple.com designates 17.111.110.47 as permitted sender) smtp.mailfrom=uatdsasadmin@email.apple.com

        

    

Further analysis of email headers confirms that the messages originate from Apple’s own mail infrastructure and are not spoofed.

        Initial server: rn2-txn-msbadger01107.apple.com

Outbound relay: outbound.mr.icloud.com

IP address: 17.111.110.47 (Apple-owned)

        

    

By exploiting Apple ID creation and modifying account information, threat actors embed phishing messages into legitimate account change notifications. This method allows the malicious content to bypass spam filters and appear as authentic alerts from Apple.

See also  Massive Discord Breach Exposes 70,000 Users' Government IDs

By triggering Apple account profile change notifications, scammers can include user-supplied information in the emails, making them more convincing and alarming. This technique aims to deceive recipients into believing their accounts have been compromised.

Header analysis reveals that the original recipient differs from the final delivery address, indicating the use of mailing lists to distribute fraudulent emails to multiple targets.

This scheme mirrors a previous phishing campaign that exploited iCloud Calendar invites to send fake purchase notifications through Apple’s servers.

Users are advised to approach unexpected account alerts with caution, especially if they mention unauthorized purchases or prompt calls to unfamiliar support numbers. If in doubt, users should verify the legitimacy of such communications directly through official channels.

Despite reaching out to Apple for comment, BleepingComputer has not received a response, leaving the possibility of continued abuse in place.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

Discover how autonomous, context-rich validation can identify vulnerabilities, verify controls, and streamline the remediation process at the Autonomous Validation Summit on May 12 & 14.

Claim Your Spot