A Compromised .GOV URL Hosting Phishing Attacks on Apple Users

A couple of months ago we reported how an app store phishing email is stealing Apple user credentials. Now a government of Vietnam domain belonging to its Tam Ky City was found redirecting visitors to another compromised domain asking them to login with their Apple IDs.

The domain hosting the phishing page was anphutamky.gov.vn, redirecting  users to a phishing trip towards Apple IDs. The domain link was included in an email, which appeared to be French in nature.

Here’s the email example sent to the users:

“Dear Customer,

Your Apple ID was used to log into iCloud from an unauthorized computer.

Your account is now locked, please log into your account to check your information.

Click here (compromised government domain link)

Apple Support

The link leads to anphutamky(dot)gov(dot)vn/cu/install/css/” which contained little other than code to redirect the visitor. The potential victim was sent to skintesting(dot)com(dot)au/components/com_mailto/views/sent/tmpl/auth/ which is just another compromised domain seeking Apple login credentials. The rogue pages have been taken offline.

Apple Users Hit With KYC Validation/ICloud ID Review Phishing Scam

It is a fact that a .gov website is always looked upon as a potential target for scammers therefore, it is extremely important that Admins keep everything up-to-date and patched up.

Here are the screenshots taken from both compromised sites: 
apple-phishing-scam
The email comes in French language | Image via Malwarebytes
Compromised Australian domain hosting Apple ID fale login page
Compromised Australian domain hosting Apple ID fale login page | Image via: Malwarebytes

After doing a history check on compromised Vietnam domain, we found out that in Feburary 2015, it was hacked and defaced by an Algerian hacker going with the handle of ViRusx. So no surprise how cybercriminals were using it as bait.

A zone-h mirror of hacked domain as a proof of hack is available below:

http://www.zone-h.org/mirror/id/23663316?zh=1

As far as Apple ID owners, please always verify that you are on the right page before submitting your login credentials. Unless you have asked Apple specifically to send you a URL for let’s say password resetting or any other reason, kindly avoid clicking on random URLs. 

So beware and don’t fall for such emails.

Malwarebytes

Related Posts