Apple Users Hit with Large-Scale Smishing Scam

Apple Users the Lone targets of Scammers — 7500 plus Users affected by Latest SMS-Phish Campaigns Already!

Reports suggest that SMS Phishing campaigns are on a rise this summer and particularly Apple users are being targeted. The latest discovery by security gurus at Intel security (previously McAfee, Inc) is a clear proof of that.

Security experts at Intel noticed two new campaigns on July 22nd and July 27th respectively. These campaigns were smishing campaigns, which means these were SMS based and so tricky that they immediately managed to con a huge number of Apple users, approx. 7,500. According to experts, their security products identified that the campaigns were purely Smishing because of a suspicious SMS message being circulated via a US-based cell phone number.

Thus, it becomes obvious that malicious links are being distributed via SMS. As soon as the users click on these links they are redirected to specially designed phishing pages or already hacked websites. These pages were created to steal authentic Apple login IDs and credentials of the users. The Smish messages have an email like format as there are email-specific fields in the message such as MSG and FRM. However, the malicious links have been found hiding behind short URLs like

Must Read: Chinese Bank Customers Targeted with SMS Phishing Campaign

Screenshot shows content of smishing text messages / Source: Intel-Mcafee

Recipients of these tricky text messages were informed that they needed to verify their Login details as soon as possible otherwise their account will be locked by Apple. Also, just like it happens in any malicious message/email, users were asked not to ignore the and do not regard it as spam. The message also contained a link that was supposedly leading them to the page where Apple needed them to verify their login credentials.

apple-users-targeted-with-large-scale-smishing-3Screenshot shows content of smishing text messages after once user is redirected to a scammy or already hacked site / Source: Intel-Mcafee apple-users-targeted-with-large-scale-smishing-4The final step! / Source: Intel-Mcafee

Must Read:

It has been identified that US-based users were the primary targets of these two campaigns that are running parallel to each other currently. Around 1,765 and 5,784 users have already clicked on the malicious link provided in the SMS messages from the two campaigns. 

This is the first time when researchers have found large-scale smishing attacks on Apple users. In the past, Android users were found under attack in which a phishing text message was infecting Android devices and replacing existing banking apps with a malware. In another research RuMMS malware was infecting Android devices through smishing.

Must Read: Watch How An iPhone was Hacked with a Simple Toy

Apple or Android users, it doesn’t matter as cyber criminals see you as a target for your bank account not for the smartphone or OS you choose. So in case you receive unknown texts messages with aforementioned links DON’T FALL for it and NEVER click such links.



Pokémon Go players beware, there is a phishing scam targeting you

Nineteen-year-old Christopher Newport University student Anna Moon is a Level 16.

Her 23-year old brother Daniel is a Level 15.

It hurts to have your little sister winning the most popular game of the summer: Pokémon Go.

But Daniel could get ahead by buying Pokémon coins.

“I’m a broke college student. I don’t think my mom wants me to spend money on that.”

If she would allow it, he might be tempted by two phishing emails targeting Pokémon gamers.

In one, the Better Business Bureau warns, gamers are told the game is no longer free, but now costs $12.99 each month. The BBB received a few complaints and then Variety Magazine published an alert

7 On Your Side found a second phishing email, offering 14,500 free Poke-coins, a near $100 value if you were to buy the coins legitimately within the app.

“At first I was excited. 14,000 — that’s a lot of cash,” said 46-year old gamer, Lori McVittie. She got the email bait, but did not bite.

“I call it a ‘Phokemon’ email. Phishing plus pokemon together and you get ‘Pokémon ’.”

Reston gamer, 22-year-old Benjamin Myers, said he would be suspicious by such an offer.

“Probably a virus in there somewhere.”

Probably. The BBB warns that the schemes are designed to steal passwords and money.

So would Anna Moon buy coins under any circumstance, just to keep her lead over her big brother?

“No, I want to beat him fair and square,” she said.

But scammers are banking on gamers who are more willing than she is to pay to play.

So, how do you avoid being caught in this scam? Some helpful tips from the BBB are listed below.

  • Be wary of unexpected emails that contain links or attachments. Do not click on links or open files in unfamiliar emails.
  • Check the reply email address. One easy way to spot an email scam is to look at the reply email. The address should be on a company domain, such as
  • Don’t believe what you see. Just because an email looks real, doesn’t mean it is. Scammers can fake anything from a company logo to the “Sent” email address.
  • Consider how the organization normally contacts you. If an organization normally reaches you by mail, be suspicious if you suddenly start receiving emails or text messages without ever opting in to the new communications.
  • Be cautious of generic emails. Scammers try to cast a wide net by including little or no specific information in their fake emails. Be especially wary of messages you have not subscribed to or companies you have never done business with in the past.
  • If you receive one of the “phishy” Pokémon -Go-related offers, report it to the BBB Scam Tracker


Amazon account hijacking: how to defend yourself against fraudsters

Having an Amazon account hacked is the nightmare scenario for any user of the service. It’s impossible to say how common the problem is but there have been enough anecdotes on public websites in the last year to say that the risk of hijacking is real.

As we noted in an article looking at Amazon security settings last year, users can turn on two-step verification (see discussion below) via SMS or through an app but only if they are using US accounts. UK and other non-US users can only access the same security feature if they sign up for US accounts first and then enable it for the site. It’s a workaround but a needless one that Amazon should put right as soon as possible.

amazon istock 22kay22

Amazon account security – types of Amazon fraud

Amazon fraud can be broken down into several types; purchase fraud against buyers, fake goods scams (caveat emptor), and fraud against sellers (caveat venditor) in the firm’s Marketplace. The latter is a complex topic that could consume several articles so we’re going to focus on the former in which accounts are hacked and goods are fraudulently bought and sent to third-party addresses at the account holder’s expense. Since Amazon watches for out-of-character goods fraud some attackers avoid detection by asking for refunds on goods already ordered.

How do hackers compromise Amazon accounts in the first place? The commonest method is some form of phishing through which criminals get their hands on a user’s Amazon ID and password. Once they have control of the account it can be surprisingly difficult to get it back. Amazon’s customer’s service seems to be chaotic at times and finds it hard to distinguish between people who have genuinely lost their account access and those who merely think they have because after receiving a bogus shipping email (see below).

It’s rarer but still possible that old-fashioned keylogging malware, in which the user’s account details are stolen remotely from their PC, could be to blame. This makes account resets a particular trial as the hacker will know the new credentials and keep changing them to block access.

If they have got hold of Amazon credentials, attackers will try other accounts that might use the same password (people often re-use them). That means PayPal, Gmail, e-commerce store accounts – you name it and the hackers will try it.

Amazon account security – phishing attacks

No matter how immune you believe you are to phishing attacks, you almost certainly aren’t. The criminals know this and use a number of techniques to hook people. Common examples include:

– A spoofed email that appears to be from Amazon for an imaginary order for a sizable sum which should be queried using a bogus login page.

– In a variation on this, a bogus dispatch confirmation message.

– Notification of a refund after an order was double billed with a request for address confirmation.

There are numerous others (including ones that push other threats such as ransomware) but we publish these to illustrate the point that phishing messages can be hard to resist. Any regular Amazon user confronted with what appears to be an order confirmation message for something they haven’t bought will be concerned. It is that psychological vulnerability that makes phishing so successful.

Anyone who enters their username and password into the phishing page will have handed access to their account to criminals who will then use to change registered addresses and purchase goods to send to them using linked credit or debit cards.