I received a pretty good Apple phish this morning

  • Article

This morning, I discovered that I had received an email “from” Apple informing me that I had recently updated my credit card with Apple:

image

The screenshot above is from my Thunderbird email client but that’s not where I originally checked it – I originally checked it on my phone.

  1. The first thing I thought when I got this email was “That’s odd; I don’t remember updating my credit card.”

  2. The second thing I thought was that it was strange that Apple wrote the date I changed my credit card was Day/Month/Year. Apple is an American company and they would either write a date as Month-Day-Year, or Year-Month-Day. The format used is something that Europeans typically do, not Americans.

  3. The third thing that went through my mind was that this was most likely a phishing message. I decided to click the link to see where it would go. I was reasonably confident that since I was checking it on a Windows phone that there was no drive-by download malware designed for my particular phone and I also had no plans to enter in my credentials. The link never actually loaded.

When checking it on my phone it loses a lot of the rendering. That’s part of the problem. Above, you can see that the images fail to load. But on my phone there was no indication that there were any images at all. The lack of loading images in Thunderbird along with no option to load them would make me immediately suspicious but because there was no indication of this on my phone, no suspicions were raised.

Furthermore, the only link in the above phishing message that actually went anywhere was the one to iforgot.apple.com. All the other ones didn’t point anywhere if I hovered my mouse over them. However, on my phone, there is no option to hover over a link. The only way to verify it is to click and see where it goes (which is why I clicked on it above).

Finally, in Thunderbird I can easily open up the headers of the message and take a look where the message came from, thus confirming it as a phish. There’s no way to view the raw source of a message on my phone.

And this illustrates the conundrum of mobile mail clients: yes, they are convenient but it’s difficult for users to inspect the message when it is suspicious using the heuristics I just described above. You can do it on a desktop client, but not on a mobile one. I would think that would make it easier for phishers to trick users since there’s no way for them to investigate further (assuming, of course, that they even did this to begin with).