A PhishTank has been located where the Apple store users have been the victims of phishing emails.
OVH, very well-known web hosting platform based in Europe which says that it is responsible for running Apple Store Confirmation page. This page seems to be the place of the fraud.
So here is a detailed analysis with the assistance of Malwarebytes.
Apple users are receiving emails where attackers are pretending to notify users about their recent download from the App store, but in reality the email is fake and contains phishing link developed to steal their login credentials.
Below is the exact content sent by attacks in the fake App store email:
Apple Store Purchase Confirmation Thank you for purchasing the following items: Space Qube Order Number: MHDH6YM6KZ Receipt Date: Order total: GBP 22.99 If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself. If you did not initiate this download, please cancel the transaction by filling the form below. See Apple ID: Tips for protecting the security of your account for further assistance.
Here is a full screenshot of phishing email sent to Apple users:
The email begins by saying thanks to the visitor who has supposedly purchased the game Space Qubec and then informs the visitor that the email is just an alert. The email is actually linked to the phishing page, but the email says that an alert is sent because of the user initiating the game. Spam recipients are more than likely to cancel this payment if they fail to get the game they wanted and do this by filling in their personal information as per the request.
However, the users should understand that companies like Apple will not request their personal information just to cancel the purchase. They would neither ask your mother’s maiden name.
A Google search was made putting the order number as a reference and it revealed that spam has been dropping to inboxes since February.
The users are redirected to a page which asks for their personal password for additional verification once they have given their information on the previous page.
After this, when the user clicks the submit button after putting in the details as requested, the user then sees a “Thank You” page again, which disappears in a little while and redirected to the Apple sign in page.
Examining the phishing URL more deeply revealed that the /.apple/ URL path is an open directory that consists of 100 copies of the phishing page.
The phishing sub-domain has been reported to the OVH’s abuse channel.
Apple users must be wary of such phishing email. Even if they receive suspicious emails, they should simply ignore put into the trash.