Watch out for this clever and dangerous new ‘Apple Support’ hoax

Macworld

Most Apple customers have learned to be cautious about messages claiming to come from the company’s support services. It’s vital to check URLs and email addresses for small discrepancies, scan the messages themselves for spelling mistakes, formatting errors, and other giveaway signs of danger, and treat everything as suspect until you know for sure that it came from Apple itself.

All of this remains true. But an alarming new scam shows that even authentic Apple messages and alerts can be hijacked to serve attackers’ malicious purposes.

As reported this week by AppleInsider, a user named Eric Moret was recently taken in by an attack which attempted to steal his Apple account credentials, and almost succeeded. Unlike most such attempts, it seemed convincing because it began and was punctuated by real Apple messages. The ingenious part of the attack was the way real and fake messages were blended together with precise timing.

The first sign that something was wrong was a series of two-factor notifications, all of them genuine, across multiple devices. This was followed by an automated call from Apple reading out another verification code. All of this set off alarm bells, of course, but in precisely the way the attackers wanted; it set up the next phase of the attempt.

This is when the attackers entered the fray. Moret received a call from an Atlanta number, claiming to be from Apple Support and warning of an attempt to hijack his account. They spoke calmly, he says, didn’t act aggressively or try to rush him into any particular action, and simply told him to expect a second call with more details. This duly took place, but was accompanied by another clever piece of trickery: a genuine email from Apple indicating that a support case had been opened.

Backed up by the real notifications and messages, the call was given the sheen of legitimacy. Moret followed the caller’s instructions to reset his Apple ID password, and once again, the attacker showed reassuring patience in not asking to be told the new password or any verification codes.

Instead, the trap was sprung a few moments later when Moret received a text with a link that would supposedly “close the support ticket.” This showed the (real) case number and otherwise looked legitimate. And just at the moment when it asked for a confirmation code to be entered, one arrived from Apple. Understandably, Moret entered the code, instantly giving the attackers access to his account.

He was only saved from disaster by a pop-up warning that his Apple ID had signed in on an unknown machine–a pop-up which the caller was prepared enough to anticipate, and which they claimed was nothing to worry about, though Morey’s natural suspicions finally kicked in. He ended the call, immediately changed his password again, and breathed a sigh of relief.

There are two lessons here. One is that malicious actors constantly evolve and refine their methods, and users need to stay informed; the same old defensive practices we’ve relied on in the past won’t necessarily work in the future. But the second is that it isn’t enough to verify that one message or alert genuinely comes from Apple–we need to verify them all. If you get an unexpected support call, assume it’s fake until proven otherwise. If in doubt hang up and contact Apple via official means.

This story ended happily, but it’s vital to stay wary and skeptical to ensure you don’t end up suffering the disaster Eric Moret narrowly avoided.