We recently found a phishing page on PhishTank targeting users of the Apple Store.

The fraud page, which is hosted on a server on OVH, a highly popular web hosting platform in Europe, claims to be an Apple Store Purchase Confirmation page.

URL: ns383133[dot]ovh[dot]net/.apple/appl3/

apple-store-phishclick to enlarge

Apple Store Purchase Confirmation 
Thank you for purchasing the following items: Space Qube 
Order Number: MHDH6YM6KZ 
Receipt Date: Order total: GBP 22.99 
If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself. If you did not initiate this download, please cancel the transaction by filling the form below. 

See Apple ID: Tips for protecting the security of your account for further assistance.

It starts off by thanking the visitor for purchasing the game called Space Qube, and then informs him/her that the email from which the phishing page is linked to was only sent as an “alert” because he/she initiated the game downloaded. Of course, spam recipients with an Apple account who may not have procured the said game would likely cancel this transaction by filling in their personal information as requested.

At this point, however, one must already realize that companies like Apple wouldn’t ask for the user’s billing information again—nor his/her mother’s maiden name—just to cancel a mistaken purchase.

We did a quick Google search using the order number as reference and found that the phishing spam has been dropping to inboxes since February.

Once users have provided their information, they are then directed to the following page, asking for their password for “additional verification”.

extra-verifyclick to enlarge

Once the password is entered and the Submit button clicked, the user is sent over to the below “Thank You” page, which appears quite briefly before sending them over to the legitimate Apple sign in page.

fake-apple-thanksclick to enlarge

We looked into the phishing URL further and found that the /.apple/ URL path is an open directory containing exactly 100 duplicates of the phishing page. Below is a sample screenshot of the directory:

fake-apple-open-dirclick to enlarge

We have already reported the phishing subdomain to OVH’s abuse channel.

Apple users must be on guard for phishing attempts such as this. If and when you receive suspicious mails supposedly from the company, it’s better to ignore and delete them from your inbox.

Jovi Umawing