Apple Inc. is selling a ton of its new iPhone 6 smart phones, but before launching the device earlier this month it had already attracted a much less desirable crowd of devotees: phishers. Among all brands targeted by these cybercriminals, Apple is now tops, and the company’s expected introduction next month of its Apple Pay service could make it an even more popular target.
That’s according to the latest report from the Anti-Phishing Working Group, released over the weekend. The APWG, which tracks the spoofed sites and emails that phishing fraudsters use to gull consumers into revealing passwords, PINs, and other sensitive data, says Apple and associated brands like iTunes and iPad were targeted in 21,951 phishing reports received in the first half of the year. That’s well ahead of the second-ranked target, PayPal Inc., at 17.811 reports, and amounts to nearly 18% of all reports.
Apple has always been popular with phishers, says Rod Rasmussen, president and chief technology officer at Internet Identity (IID), a Tacoma, Wash.-based Internet security firm. But now the popular computer company has soared to the top of phishers’ hit list. “This is the first time they’ve been on top,” Rasmussen, who co-authored the APWG report, tells Digital Transactions News. “We got used to PayPal being there all the time.”
What the criminals are after, Rasmussen says, is users’ Apple IDs, the passwords they use to gain access to a widening variety of Apple services. Phishers can use the IDs to learn email addresses and then reset passwords and gain access to related accounts, Rasmussen says. They can also use them to hold the legitimate users’ accounts hostage. “You can lock somebody out,” Rasmussen says. “It’s a ransom-type thing. You have to go to some site and pay $50 to unlock it.” Or they can simply sell the IDs on an online black market.
Now, with the imminent introduction of Apple Pay, the company is likely to become an even more attractive phishing target, Rasmussen says. “Now putting payment on the phone, that’s even more valuable, that makes you a bigger target,” he says, though he adds he has seen nothing to indicate Apple will associate Apple IDs with Apple Pay, which will include a wallet containing tokenized credentials for users’ cards from partner issuers.
In announcing Apple Pay earlier this month, the company said the service will be protected with Touch ID, a fingerprint-recognition technology, on the phone. Apple did not respond to a request for comment.
“I give Apple a lot of credit, they’re spending a lot of time trying to lock things down better,” Rasmussen says. “They’re smart enough to know people are coming after them.”
Apple and PayPal may be popular targets, but the latest APWG report, entitled “Global Phishing Survey: Trends And Domain Name Use in 1H2014,” found phishers are rapidly broadening the range of brands they’re trying to spoof. The list reached 756 organizations in the first half, the highest total the APWG has ever recorded. Almost half of the 756 had not been targeted before.
“[Phishers] are looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing,” says the report.
In phishing campaigns, criminals use spoofed emails to gull consumers into visiting bogus Web sites, where the phishers can download malware and collect sensitive information, such as user names, passwords, and PINs. The emails are designed to appear as if they come from trusted brands, such as banks.