Rotten Phish: Dissecting a phishing email

Phishing is a form of social hacking; the hackers try to get people to divulge their email addresses, passwords, and other key information by sending out fake emails that are usually from email addresses in Russia (sorry, Russian readers, but it's true...). Yesterday I received a phishing email that was so execrably bad that I just had to share it with readers of Apple World Today. Here's the email: 

 

FullSizeRender.jpg

What's wrong with this? Everything.  

  • The email subject isn't capitalized; it's all lower case letters, which Apple will never do
  • This email has obviously been written by someone who is not a native English speaker, as the phrasing is laughable
  • "Including your email icloud as well"  - awful grammar, and iCloud is written in all lower case, once again something Apple would never do
  • That image is obviously a try at avoiding a trademark lawsuit if Apple ever catches the person(s) who sent it. That's the old Apple logotype
  • Apple will never terminate an account for non-use, on the off chance that after years of not using a service like iCloud or iTunes, you may decide to use it and spend money
  • A partial HTML tag (</center>) is just visible on the bottom of the email, proving that not only are the writers of the phishing message morons, but they don't have very good web coding skills either.
  • Apple will rarely ask you to click a link in an email to get to a web page. Instead, you'll be asked to log into your iTunes/iCloud/Apple Music/Apple ID account through the normal method. Never click a link in a phishing email!
  • Apple never puts links in white on a red background

What's "right" with it?  One thing.

Usually, you can right click on the email address in a phishing email and it will be from some ".ru" email address although it shows an official-looking return address tag like "Apple iCloud Account Services". These guys used "Apple Service ID" (which is so fake sounding it's ridiculous), and right-clicking shows the address to be the somewhat believable "no-reply@mail.apple.com". That makes no difference; what they want people to do is click on that red link marked "Save it for me" -- which you should NOT do

If you click on that link, you are sent to a web page at the following address: 

https://webbitgifts.com/A

which of course has NOTHING to do with Apple. Once again, you can determine the destination of a link by right-clicking it (on a Mac) or tapping-and-holding it (on an iOS device). Now the web page that this address redirects to actually looks like the Apple ID page. Don't be fooled! Once again, check the address in the Safari or Chrome address bar:

 http://appleid.apple.com.account.manage.wets.myapleid.woa.wa.directt.myappleid.woa.25napplic2faccount.25napplic2faccountmasdfhjkoa9limg234567890.webbitgifts.com/index/index/src/index/index.php?api=_login-detail&session=5e930e2e937433992f627e7354c50e8d&wait=d1ab2555a560ea018f8d04333f6cd5b6eace2480

First, Apple will never use just an "http" address. All Apple websites are prefixed with https, meaning that a secure certificate is in use. Second, read past the "appleid.apple.com" and eventually you get to the same "webbitgifts.com" domain name -- that's not Apple.

What should I do with this email if I receive it? 

Trash it immediately, or even better, mark it as spam. Don't worry -- valid Apple emails will still come through but anything from "webbitgifts.com" will end up in your junk folder. 

Stay safe out there, friends!