Cybercriminals Impersonate Apple to Trick Recipients Into Providing Sensitive Information
In this phishing attack, cybercriminals use a spoofed email address to impersonate Apple and inform the recipient that their Apple Pay service has been suspended. The email claims that the card linked to the recipient’s device is associated with multiple devices, and the recipient's Apple Pay service has been suspended as a security measure. The recipient is urged to confirm their ownership of the card by clicking a provided link within 12 hours to avoid having their access to payment services permanently disabled. However, should the target click on the button labeled “Update Now”, they will be redirected to a page designed to steal sensitive information, such as login credentials or payment details. By leveraging the trusted name of Apple, using professional language, and exploiting the urgency of potential loss of access to Apple Pay, the attacker hopes to manipulate the recipient into clicking the link without questioning the email's legitimacy, potentially compromising their sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, lacks malicious attachments, and employs the use of a legitimate link. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect links to suspicious domains, and recognize the sender domain does not match any domains in the message to correctly identify the email as an attack.
Malicious email disguised as a notification from Apple designed to trick targets into compromising personal information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
- Absence of Malicious Attachments: By not including suspicious attachments and instead using links, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate Links Included: The email incorporates real links to Apple's website, which can lend it a veneer of authenticity and allow it to bypass simple link verification checks.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never had communication with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising further suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.