Rotten Apples: Resurgence

In June 2016, we published a blog about a phishing campaign targeting the
Apple IDs and passwords of Chinese Apple users that emerged in the
first quarter of 2016 (referred to as the “Zycode” phishing campaign).
At FireEye Labs we have an automated system designed to proactively
detect newly registered malicious domains and this system had observed
some phishing domains that were designed to appear as legitimate Apple
domains. Most of the domains reported by this system were suspended in
June 2016, which resulted in a loss of momentum for the Zycode
phishing campaign. Throughout the second quarter of 2016, the Zycode
phishing campaign was in hibernation.

We recently observed a resurgence of the same phishing campaign when
our systems detected roughly 90 phony Apple-like domains that were
registered from July 2016 to September 2016. Once again, Chinese Apple
users are being targeted for their Apple IDs and passwords using the
same content reported on in our earlier blog. The majority of these
domains are registered in the .com TLD by email accounts from
qq[.]com, and the IPs of these domains point to mainland China, as
seen in Figure 1.

Figure 1: Google map showing the location of the
hosted phishing domains

What has not Changed?

The attackers have not changed the content of the phishing sites.
The obfuscated JavaScript used in the earlier version is once again
being used here in this campaign. We have provided the details of
JavaScript and screenshots of interaction with the website in our earlier blog.

What has Changed?

Apparently the domains and email addresses used in previous version
of the campaign were effectively taken down. Now the attackers have
moved to a new malicious infrastructure; new domains, IPs and email
addresses are being used for this campaign. The new domain names for
the campaign are listed in Table 1, while their IPs and registrant
emails are reported in Table 2 and Table 3, respectively.

Domains List

Table 1: Apple phishing domains serving the
Zycode phishing kit.

Unique IP(s)

Table 2 shows the list of unique IPs, which are not the same as what
was seen before.

Table 2. IP addresses used by the domains.

Unique Email Addresses

The email addresses used to register these domains, showing no
similarity with email addresses in the previous campaign, are shown in
Table 3.

Table 3. List of unique registrant emails.

Unique Registrants

Table 4 shows the registrant names, which have no similarity with
the previous registrant name information.

Table 4. List of registrant names used by the
phishing domains.

How to Avoid Being a Victim

Apple provides information on phishing here
and here, and
on iCloud security here. There are
simple ways for a user to be more secure against this and similar
attacks. The following are a few tips:

  • Enable two-factor
    authentication for Apple ID
  • Always check the address
    bar for the correct web address.
  • Avoid clicking links in
    emails and SMS messages that supposedly direct to iCloud pages.
  • Use our FireEye EX appliance, which provides effective
    detection for the Zycode phishing campaign.

By admin