I had one a about a month ago now that I was actually impressed with how they did it.
I have a Apple account just for the kids Apple devices (required for school). Received an email from Apple support about fraudulent activity and that they’d call at sometimes. I thought that was weird and checked out the email and everything was legit.
Call came in a little early then in the email. They knew all the right details including the case number, sent a verification code to my mobile from a short code SMS “iCloud” and at that point they had me. But only until they asked me to go to a site apple.somebullshit.com. Well apple isn’t going to use a domain that’s not *.apple.com. went there anyway to check and the SSL cert was from Let’s encrypt, apple ain’t using let’s encrypt.
20 years in IT, that’s the closest I’ve been in. Very long time to falling for something.
I know someone who got had by a spearfishing call. They knew all the details about his phone contract, sounded 100% legit. The scammer got thousands of dollars in prepaid SIM cards from his account.
After the police investigation, turned out that the scammer was actually a former employee of the phone company who downloaded a copy of the customer list when he got fired.
So are you saying the original email genuinely was from Apple? If so do you have any idea how the scammers got all that info? And did you ever receive the legitimate call back from Apple?
I’m just speculating but maybe they (scammers) filled out a fraudulent activity form on the Apple site on behalf of the victim and then called before an Apple rep did.
Wouldn’t they still need to know the username and telephone number then? That seems like something most people would be unable to link.
Again I am going in to the realm of conjecture here over a little post, but maybe they had loads of information on Apple users from a data breach and this is how they were capitalising on them.
Yeah that’s how I think they did it.
Yeah it was a legit apple support email and I compared it to the email I received after calling apple and starting a new case to give them all the info I could about the scam.
I assume that got my info from a data leak somewhere.
Apple ain’t using Let’s Encrypt
To be fair, I’ve seen just about everyone use Let’s Encrypt, from banks to nsa.gov. The latter has switched their certificate provider though.
They got you because you’re not familiar with the Apple ecosystem nor their support system. That’s all sus as hell.
You also failed at basic opsec because you allowed them to control the flow of communication.
Was there actual suspicious activity? Did an actual Apple representative ever contact you because it sounds like the whole thing was a phish but you make it sound like they just got the case number and timing when the more likely scenario is that the email was also them.
Totally agree that I don’t know the Apple eco system and that made it easier. It was a legit apple support email. Even compared all email headers with the email I received after I called Apple support and opened a new case. I gave them all the info I could.
It was definitely phishing, I’d even say spear phishing as the knew all of my details without me giving it out. I assume from leaked data somewhere.
I’m pretty sure that they were able to create a support case with me details and scheduled it for that time so they had the case number and knew to call before that time.
Imagine when AI is automating the whole process. Including the phone call.
That’s frightening
Thanks for sharing your story! It is very important to get these stories as well, someone who has 20 years in tech so close to getting scammed…
You did the correct thing and kept track of the url etc. on an offday you might not have been so vigilant.
That’s just made me think of something else about the day. Totally coincidental, but earlier in the day I was looking into what permission the Microsoft Company Portal App had on unmanaged Android and iOS devices for a concerned user.
Then I got the email from Apple support and was like WTF‽ Then I realised it was to my private email and went, damn! How’s that timing.
privacy policy
look inside
sells your data
The policy is that you don’t have privacy and that they sell your data.
I heard once that the reason that those phishing emails are (usually) pretty obvious is because the phisher doesn’t want to accidentally catch a more attentive and careful victim, spend time trying to wire money from them, only for the victim to realize that it’s a scam before following through, therefore wasting the phishers time. The type of person to fall for the Nigerian prince stuff is not common, but they exist and the odds of them paying out are much higher.
Depends on what the end goal is. Wire fraud? Sure. Typically a Business Email Compromise will try and compromise the account credentials to use it as a location to send other mass phishing attacks to their contacts, gain access to sensitive information the user had, or laterally move between systems and further compromise the organization. In that case, you would want the message to appear as legitimate as possible to gain access to the highest privileged accounts.
wow I hate this meme format
Also work on the unsubscribe button
At this point, that’s like a default corporate feature.
