How To Hack An Apple Iphone With A Phishing Kit

Size: px

Start display at page:

Download "How To Hack An Apple Iphone With A Phishing Kit"

Lillian Parks
3 years ago
Views:

1 Analysis Report Besmellah Apple phishing kit

2 Introducing the campaign In the recent past, Apple customers have been amongst the favourite targets of cyber attacks, especially in the form of phishing. Cybercriminals are generally after personal and sensible data, including bank account details. Last month only, the so called "Celebrity gate", also named "Fappening" has drawn significant media attention, as the privacy of dozen international celebrities, and Apple clients, has been violated and hundreds of personal, sometimes intimate, pictures have been made public. Media have been very quick in putting Apple under the spotlight, blaming their supposed vulnerabilities, specifically those in their "find my iphone" feature According to the company though, accidents were the result of specific attacks, targeting their customers and aimed at stealing their personal and account details. Apple has been increasingly targeted by criminals, and the recent appearance of specific, pre-packaged "phishing kits" widely available on the internet makes companies surely not limited to Apple only - and their clients significantly more exposed to malicious activities. Within this context, a new specific kit called Besmellah has been identified, the malicious end-to-end process analysed and the identity of the responsible revealed. The attack was successfully carried by a young attacker, which was interested in bank accounts and credit card details of Apple customers. Threat Analysis The analysis of the threat shown that the attack takes place in a three-way process. As per the common features of the Besmellah kit, the attack starts with a fraudulent , sent to the recipient from an apparently legitimate support account address (support@apple.com). In the body of the the attacker refer to a non-specified technical issue, and recommend the recipient to follow a link in order to validate the account and avoid its closure. In these cases the use of the Spoofing technique on the sender tends to be successful as recipients are more inclined to lower the guard and trust the link. In addition, it is worth mentioning the use of the popular service of URL abbreviation called Bitly, to allow the malicious link to by-pass anti-phishing tool and hide the real final address of the sender. Following the link, the victim is readdressed to a web page where it is asked to insert their account credentials. The form and web page resemble in a great deal of details the licit ones, although the domain used to host the web page is clearly not legitimate. In this specific case the website used to host the pages was that of an Indian professional, previously hacked through the exploitation of CMS known vulnerabilities of WorldPress, and used to install the kit. Once credentials are submitted an is forwarded to the attacker. This contains customers IP address along with date and time of the submission. As second step, the victim is asked to fill a second form and provide other key information linked to their accounts, such as name, address, phone number, driving license and credit card details (number, expiry date, CVV). As in step one, as soon as the info are submitted, the attacker receives an with all these details plus the geo-localized IP address of the victim. 2

Last month only, the so called "Celebrity gate", also named "Fappening" has drawn significant media attention, as the privacy of dozen international celebrities, and Apple clients, has been violated

3 Third and last step, the victim is redirected to the legitimate domain, in this case Apple s itunesconnect. apple.com One of the aspects that make the Besmellah kit very effective is the use of a blacklist of IP addresses of the most popular search engines and Spider-bot, aiming at tracing and tracking phishing threats. Identification of the attacker The process to identify the attackers started from the analysis of the hacked website. Within its architecture the presence of a zip archive has been detected the archive hosted the fully functioning kit used for the operation: 3

and Spider-bot, aiming at tracing and tracking phishing threats.

4 The analysis of the source code revealed the address the attacker was using to receive the account and victim s personal info: Performing a Facebook search of the address, the association to a specific account has been identified: 4

personal info: Performing a Facebook search of the email

5 The analysis of the profile linked to the account allowed to discover pictures and attacker s personal information: male, Tunisian origins, young and very interested and active in spamming and hacking activities. In addition, the intentions of the attacker were clear given he is part of several organizations known for their spamming activities: these groups share information as well as strategies to obtain sensitive information and launch cyber attacks. Conclusion The analysis of this operation once again showed how dangerous phishing activities can be. These threats are on the rise and pose a significant risk to individuals are organizations alike. The availability in the internet of easy-to-use, pre-packaged tools such as the Besmellah represent a very dangerous incentive for young, maybe less experienced attackers, to commit unlawful and dangerous activities. To contrast these malicious activities, companies need to define and implement stricter risk management policies as well as adopt specific tools to prevent attacks, defend both their critical digital infrastructure and their customer base. 5

In addition, the intentions of the attacker were clear given he is part of several organizations known for their spamming activities: these groups share information as well as strategies to obtain

6 About Tiger Security Tiger Security is a leading company specialized in innovative Cyber Intelligence and Information Security solutions. Our client base include Public Sector (Governments, Military forces) and Corporates across the world. In addition, our cutting hedge services and products are used by several European Research Institutes across continents and represent the state of the art for Cyber Security, open-source-based solutions. Tiger Security value proposition fits the wider organisations risk management frameworks, in a context of increased relevance of Cyber Intelligence and Information Security solutions owing to heightened concerns for more complex, innovative and disruptive threats actions posed by criminal individuals and organisations. Tiger Security s mission is to discover, monitor and track digital threats using a non conventional, innovative and preventive approach, which result in a very significant improvement of our clients risk profile. 6

In addition, our cutting hedge services and products are used by several European Research Institutes across continents and represent the state of the art for Cyber Security, open-source-based

7 Tiger Security Srl Piazza Monterosa Orvieto (TR) ITALY web: 7

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks White paper Phishing, Vishing and Smishing: Old Threats Present New Risks How much do you really know about phishing, vishing and smishing? Phishing, vishing, and smishing are not new threats. They have