A couple of months ago we reported how an app store phishing email is stealing Apple user credentials. Now a government of Vietnam domain belonging to its Tam Ky City was found redirecting visitors to another compromised domain asking them to login with their Apple IDs.
Here’s the email example sent to the users:
Your Apple ID was used to log into iCloud from an unauthorized computer.
Your account is now locked, please log into your account to check your information.
Click here (compromised government domain link)
The link leads to anphutamky(dot)gov(dot)vn/cu/install/css/” which contained little other than code to redirect the visitor. The potential victim was sent to skintesting(dot)com(dot)au/components/com_mailto/views/sent/tmpl/auth/ which is just another compromised domain seeking Apple login credentials. The rogue pages have been taken offline.
It is a fact that a .gov website is always looked upon as a potential target for scammers therefore, it is extremely important that Admins keep everything up-to-date and patched up.
Here are the screenshots taken from both compromised sites:
After doing a history check on compromised Vietnam domain, we found out that in Feburary 2015, it was hacked and defaced by an Algerian hacker going with the handle of ViRusx. So no surprise how cybercriminals were using it as bait.
A zone-h mirror of hacked domain as a proof of hack is available below:
As far as Apple ID owners, please always verify that you are on the right page before submitting your login credentials. Unless you have asked Apple specifically to send you a URL for let’s say password resetting or any other reason, kindly avoid clicking on random URLs.
So beware and don’t fall for such emails.