{"id":18763,"date":"2022-04-14T03:10:16","date_gmt":"2022-04-14T11:10:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/14\/news-12496\/"},"modified":"2022-04-14T03:10:16","modified_gmt":"2022-04-14T11:10:16","slug":"news-12496","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/14\/news-12496\/","title":{"rendered":"“Your AppI\u200ce\u200c \u200cl\u200cD\u200c \u200c\u200ch\u200c\u200ca\u200c\u200cs\u200c\u200c \u200c\u200cb\u200c\u200ce\u200c\u200ce\u200c\u200cn\u200c\u200c \u200c\u200cl\u200c\u200cocke\u200c\u200cd\u200c\u200c” spam email takes you on a website mystery tour"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Thu, 14 Apr 2022 10:53:25 +0000<\/strong><\/p>\n

Spam which claims your account has been locked out and needs to be fixed are common. They drive people to phishing campaigns on a daily basis.<\/p>\n

The mail below follows the same pattern with one key difference. It looks like a phish, but goes somewhere else entirely.<\/p>\n

No, your Apple ID has not been locked<\/h2>\n

The mail claims to be from Apple, and is titled<\/p>\n

Re: [Ticket #265763] Your Appl\u200ce\u200c \u0406\u200cD has been locke\u200c\u200cd\u200c\u200c on [date]<\/em><\/p>\n

It reads as follows:<\/p>\n

\n

Your AppI\u200ce\u200c \u200cl\u200cD\u200c \u200c\u200ch\u200c\u200ca\u200c\u200cs\u200c\u200c \u200c\u200cb\u200c\u200ce\u200c\u200ce\u200c\u200cn\u200c\u200c \u200c\u200cl\u200c\u200cocke\u200c\u200cd\u200c\u200c on [date] 2022 for \u200c\u200cs\u200c\u200cecurit\u200c\u200cy\u200c\u200c \u200c\u200cr\u200c\u200ceason\u200c\u200cs\u200c\u200c \u200c\u200cb\u200c\u200cecaus\u200c\u200ce\u200c\u200c you have \u200c\u200cr\u200c\u200ceache\u200c\u200cd\u200c\u200c the \u200c\u200cm\u200c\u200caximu\u200c\u200cm\u200c\u200c \u200c\u200cn\u200c\u200cumbe\u200c\u200cr\u200c\u200c of \u200cl\u200cn\u200cv\u200ca\u200cl\u200ci\u200cd\u200c \u200cs\u200ci\u200cg\u200cn\u200c-\u200ci\u200cn\u200c \u200ca\u200ct\u200ct\u200ce\u200cm\u200cp\u200ct\u200cs\u200c<\/em><\/p>\n

You cannot \u200ca\u200cc\u200cc\u200ce\u200cs\u200cs\u200c your \u200ca\u200cc\u200cc\u200co\u200cu\u200cn\u200ct\u200c and any AppI\u200ce\u200c services<\/em><\/p>\n

\u200c\u200cT\u200c\u200co \u200cu\u200cn\u200cl\u200co\u200cc\u200ck\u200c your account, \u200cy\u200co\u200cu\u200c’\u200cl\u200cl\u200c \u200cn\u200ce\u200ce\u200cd\u200c \u200cs\u200co\u200cm\u200ce\u200c \u200ca\u200cd\u200cd\u200ci\u200ct\u200ci\u200co\u200cn\u200ca\u200cl\u200c \u200cv\u200ce\u200cr\u200ci\u200cf\u200ci\u200cc\u200ca\u200ct\u200ci\u200co\u200cn\u200c<\/em><\/p>\n

For your \u200c\u200cs\u200c\u200cecurit\u200c\u200cy\u200c\u200c and to \u200c\u200ce\u200c\u200cnsur\u200c\u200ce\u200c\u200c only you have \u200ca\u200cc\u200cc\u200ce\u200cs\u200cs\u200c to your \u200ca\u200cc\u200cc\u200co\u200cu\u200cn\u200ct\u200c<\/em>. We will ask you to \u200cv\u200ce\u200cr\u200ci\u200cf\u200cy\u200c your \u200ci\u200cd\u200ce\u200cn\u200ct\u200ci\u200ct\u200cy\u200c<\/em>.<\/p>\n<\/blockquote>\n

\n
\"\"
Fake Apple mail<\/em><\/figcaption><\/figure>\n<\/div>\n

From phish to website spam<\/h2>\n

Clicking the big grey \u201cverify account\u201d button should, in theory, lead you to an Apple phishing page. However, that\u2019s not the case here.<\/p>\n

The link directs people to completely random domains. Some of them appear to be advertisements. Others run the full range of everything from wall cladding services and polytechnics to hotels.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

There appears to be no rhyme or reason to the URLs being served up. Clicking the link could pretty much drop you anywhere without warning.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

It currently leads to what appears to be a half-finished page about QR code generation.<\/p>\n

\n
\"\"
A QR code website<\/figcaption><\/figure>\n<\/div>\n

Why is this happening?<\/h2>\n

At this point, we’ve established that there\u2019s no phish here. It’s using phishing as a panic-ruse to have you click through to multiple URLs via email campaigns. In this case, it appears someone has signed up to the below service, and is using this to spam.<\/p>\n

Navigating to the URL included in the mail with the campign component stripped out leads us to the below message:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n
\n<\/blockquote>\n

Mail blasting for fun and profit<\/h2>\n

Mail spammers will try and abuse legitimate services in order to drop as many missives in your mailbox as possible. Even with countermeasures in place, they’ll slip through the net of even the most careful service provider.<\/p>\n

Regardless of how the spam gets through, get through it will. If you provide mail marketing services, it\u2019s important to have a reporting feature in place. The ability to tie valid registrant details to campaign URLs is also crucial.<\/p>\n

If it\u2019s possible to highlight in mails sent out in some way that it\u2019s via your tool or app, so much the better.<\/p>\n

Keeping yourself safe from mail spam<\/h2>\n

For recipients, much of the typical spam mail advice applies here:<\/p>\n