Rotten Apples: Resurgence

In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the “Zycode” phishing campaign). At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains and this system had observed some phishing domains that were designed to appear as legitimate Apple domains. Most of the domains reported by this system were suspended in June 2016, which resulted in a loss of momentum for the Zycode phishing campaign. Throughout the second quarter of 2016, the Zycode phishing campaign was in hibernation.

We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016. Once again, Chinese Apple users are being targeted for their Apple IDs and passwords using the same content reported on in our earlier blog. The majority of these domains are registered in the .com TLD by email accounts from qq[.]com, and the IPs of these domains point to mainland China, as seen in Figure 1.

Figure 1: Google map showing the location of the hosted phishing domains

What has not Changed?

The attackers have not changed the content of the phishing sites. The obfuscated JavaScript used in the earlier version is once again being used here in this campaign. We have provided the details of JavaScript and screenshots of interaction with the website in our earlier blog.

What has Changed?

Apparently the domains and email addresses used in previous version of the campaign were effectively taken down. Now the attackers have moved to a new malicious infrastructure; new domains, IPs and email addresses are being used for this campaign. The new domain names for the campaign are listed in Table 1, while their IPs and registrant emails are reported in Table 2 and Table 3, respectively.

Domains List

Table 1: Apple phishing domains serving the Zycode phishing kit.

Unique IP(s)

Table 2 shows the list of unique IPs, which are not the same as what was seen before.

Table 2. IP addresses used by the domains.

Unique Email Addresses

The email addresses used to register these domains, showing no similarity with email addresses in the previous campaign, are shown in Table 3.

Table 3. List of unique registrant emails.

Unique Registrants

Table 4 shows the registrant names, which have no similarity with the previous registrant name information.

Table 4. List of registrant names used by the phishing domains.

How to Avoid Being a Victim

Apple provides information on phishing here and here, and on iCloud security here. There are simple ways for a user to be more secure against this and similar attacks. The following are a few tips:

• Enable two-factor authentication for Apple ID.
• Always check the address bar for the correct web address.
• Avoid clicking links in emails and SMS messages that supposedly direct to iCloud pages.
• Use our FireEye EX appliance, which provides effective detection for the Zycode phishing campaign.