A mobile phishing campaign is spreading via text messages pretending to come from an Apple chatbot & offering “free trials” of iPhone 12.
Convincing SMS messages are informing victims that they have been chosen for a ‘pre-release trial’ for the soon-to-be-launched device.
The iPhone 12 is due to be released in Oct., & the buzz is high for ‘Apple heads’ who are anxiously waiting for the launch. Cyber-criminals are taking advantage of this to push a campaign to harvest credit-card details, outlined researchers.
The text uses a shipping lure to begin. Says Sophos, it reads: “Dear Christopher, we have your packet in queue. Address: Londonderry, Ballynagard crescent” & contains a link. It is meant to look like it has been sent to the wrong number, in hopes that people’s curiosity will get the better of them.
Clicking the link triggers an interaction – via multiple texts – with a supposed “Apple chatbot.”
“The scam first shows you some cheery messages from a fake Apple chatbot to tell you why you…had enough luck to be chosen to take part in an iPhone 12 trial, and then it invites you…to join in,” explained Paul Ducklin, Researcher with Sophos, in a posting on Thur.
The texts end with a link – the text reads “apple.co.uk/2020/promo” – which takes the target to the browser. There, people asked to provide full name & address, supposedly to “verify” that he or she is part of the official Apple pre-release trial group.
“The name-&-address answers…don’t matter a jot,” Ducklin observed. “We tried clicking numerous different combinations &, unsurprisingly, the crooks let us through anyway.
The questions are there just to provide a plausible connection back to the SMS that was meant for ‘Christopher’ but that reached you instead. It’s as though the criminals are trying to ‘authenticate’ themselves to you, rather than the other way around.”
After providing the name and address, the scam site surfaces a survey – again to provide verisimilitude to the target that the offer is legit. After clicking through 6 questions, like “do you own any Apple products,” the victim is told that their information is being verified (& a “comments” section on the bottom of the screen shows supposed reactions from those who weren’t chosen & someone saying he thought it was a joke until he received his phone).
Then, the scam-site tells the target, “Congratulations! You qualify for a test group!” and then asks the person to click to confirm his or her info – & after entering an email address, a payment screen comes up explaining that there’s a “courier delivery charge” for the phone, typically between £1 & £2.
Credit-Card Payment Form
“You end up on a credit-card payment form that’s hosted on what looks like a ‘special offers’ website with a believable enough name, & with an HTTPS security padlock if you take the time to look,” Ducklin observed. “Of course, if you try to pay your modest delivery charge, you are simply handing over your personal data to the crooks, including your full card number & security code.”
The researcher explained that the scam is convincing enough to fool the less security minded. Also, the use of texting offers several advantages.
For example, the format can help hide the grammatical & style issues that often act as ‘red flags’ in email phishes. Also, shortened URLs are common in texts from legitimate businesses, so crooks can more easily disguise where a link is going to wind up.
“Your phone’s operating system will happily recognise when the text in an SMS looks like a URL and automatically make it clickable for you,” Ducklin further explained.
“As a result, text messages that contain 1 short, clipped sentence that wouldn’t look right in an email, & that contain deliberately disguised links that we might be suspicious of anywhere else…look surprisingly natural when they show up in an SMS.”
Protection against SMS phishing (or “smishing”) means ‘alertness’, & the adage that things that seem to be too good to be true, sadly often are. There is no free phone.
Wary of Texts
Ducklin also noted that people need to start being as wary of texts as they are of emails & understand that cyber-criminals are actively targeting that platform.
“If all you need to transmit is a 6-digit logon code or a ‘pizza driver now 2 mins. away’ notification, SMSes still make excellent business sense,” concluded Ducklin.
“Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing.”