Recently one of our members sent a sample of a phishing email he had received to our Cyber Security Operations Team. This was a good one.
So let’s take some time to examine this phish. In order to keep it short and sweet I will be dividing this dissection into several parts. This part will focus on the email itself.
Why do criminals conduct phishing attacks? Because they work. The crooks are getting craftier and so much better at tricking the user. Why should the crook waste time trying to hack into a user’s account when all they need to do is ask for the information they need?
Never click on links contained in the email message. Never divulge personal information. Slow down and actually read each word and sentence. Notice all the errors. Always go directly to the site in question or call the organization to verify the email. In this case the user contacted Apple and reported the activity.
Below is a breakdown of the phish. This was dissected in a safe, sandbox environment. See if you can recognize all of the red flags in this email.
From: AppleID <email@example.com>
Sent: Wednesday, October 18, 2017 11:26 AM
Subject: RE: [ New Report Statement Alert ] : We Informed That Submitted an Error into Your Account Activity
Apple ID Suspicious Activity
Last Update 18-October-2017
For your protection, you Apple ID (firstname.lastname@example.org) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
We’re concerned that someone is using or apple Account without your knowledge. Recent activity from your apple Account seems to have occured from a suspicious location or under unusual circumtances.
Your account access has been locked for the following reasons:
- 18 October 2017 We Want to check your account surely not login with other device.
- 19 October 2017 your account has been locked until this issued has been resolved we will waiting for 24 hours or your account has been disable permanently.
Please click loggin button below to your apple Account and provide the information previously requested: 24 hours via Account Review, if we do not receive information before this deadline, you account access can be further locked permanently.
To verify you Apple ID, we advise you to press the Login Button button.
At first glance the email looks pretty sophisticated. But once you slow down and really read it you can easily see how bad it actually is. What happens if you click the LOGIN button?
Continue to Part 2