A sophisticated Apple vishing scam has been uncovered. In contrast to most phishing attempts that use email, this scam used voice calls (vishing) with the calls appearing to have come from Apple.
The scam starts with an automated voice call to an iPhone that spoofs Apple Inc. The caller display shows that the call is from Apple Inc., increasing the likelihood that the call will be answered. The user is advised that there has been a security breach at Apple and userIDs have been compromised. Users are told they should stop using their iPhone until the problem has been resolved. They are asked to call back Apple support for further information and a different telephone number is provided for this purpose.
The scam was reported to Brian Krebs (KrebsonSecurity) by a woman who had received such a call. Krebs called the number provided, and the call was answered by an automated system. He was then redirected to an “Apple” customer service agent with an Indian accent. After being placed on hold, the call was disconnected. While the aim of the attack was not determined, Krebs assumed this was an attempt to obtain credentials over the phone.
Vishing is commonly used in tech support scams which claim the user has a malware infection that requires the downloading of (fake) antivirus scanning software. That software is often malware or spyware, or the user is required to pay for assistance in removing the malware.
This iPhone vishing scam differs from past scams as the call appears to have come from Apple Inc., and is displayed as such on the iPhone, along with genuine contact information (address, website, and phone number).
The woman who received the call suspected it was a scam and requested a call back from Apple support via the official Apple webpage. The customer service representative advised the woman that it was most likely a scam and that Apple does not contact customers by phone to inform them of security breaches.
When the call was ended, the official call was grouped together with the scam call in the call history, further suggesting that all calls – the scam call and the official call from Apple – were all legitimate. It is worrying that even though different phone numbers were used for each call, the iPhone was unable to distinguish them.
The woman who received the call was the CEO of the security firm Global Cyber Risk LLC and was therefore well versed in the tactics used by scammers to obtain sensitive information. However, less security conscious individuals may be fooled by such a convincing Apple vishing scam.