BY LORI CULWELL
Yesterday I met a woman who owns a trained hawk, so I already wrote a whole post about that, because seriously, what is more interesting than being a professional falconer with a hawk and one of those gnarly leather wrist guards?
However, this morning I received a very “phishy” looking email, so today I am turning this blog into a public service announcement, trying to stop people from clicking anything in this email (should they receive a similar one) and possibly stopping people from getting into what my father would call “a world of hurt.”
Here’s the email. The subject line is "Please verify the contact email address for your Apple ID," in case you get it. This is a screenshot, just for educational purposes (i.e. it is not clickable)
Interesting. This is designed like an Apple email and even uses Apple’s logo, but it has several “tells,” and since I used to consult for Apple back in the day, I will tell you the ones I see:
Email address: I used my super expert knowledge of PhotoShop (ha!) to blank out the email addresses, but this one was addressed FROM my email address, TO my email address. Apple communication always comes from an apple.com address.
Salutation: Apple is way to meticulous to let an email go out with the typo “Dears ,” in the heading, and usually their emails contain your actual name. This part alone tips me off.
“Verify Now” link. Calls to action in Apple communications usually take the form of a button, not a link. Also, I think that Apple communications are usually white on grey, not grey on white like this one.
Based on those three factors, I would declare this a “phishing” email. In case you’re not familiar with “phishing,” that is where hackers pretend to be real companies in order to get you to give up your usernames/ passwords/ other private info, which they then use in nefarious ways. Giving your Apple ID to a hacker would be very bad, becuase as you know, your Apple ID controls all the parts of your online life with Apple (including your iTunes).
In case you’re curious (DO NOT DO THIS), I took this email to a controlled environment (meaning, a PC that is not on my network) and actually clicked on the “Verify Now” link, just to see what would happen. Here is the screen that appeared:
WHOA, check out that url! This website belongs to a company in Brazil, so this is definitely not an Apple website, but the hackers have spoofed the Apple “enter information” user interface to exactly match, so that if you don’t happen to look at the scary url, you will give them your apple ID and password.
Note: I suspect this company might also have been hacked, because the domain tells me that this page is an “orphan” page that was added to a Wordpress installation. If there ever was an argument for aggressive security and managed hosting for Wordpress, this would be it.
Note 2: Yes, I know that my PhotoShopping skills make me look like I’m in the fifth grade. Eventually I’m going to actually buy a tablet that has a pen, so I don’t have to keep circling things and writing on photos using my computer’s trackpad.
I reached out to both Apple and Microsoft, and neither of them would comment on whether they had experienced a security breach that would have allowed hackers to gain access to my email address. If you get an email like this, you should definitely send it to firstname.lastname@example.org, where I bet there are a team of Apple lawyers in a conference room right now, trying to figure out how this happened and how to shut these guys down. I did this as soon as I got the email, and I got a response back saying they were looking into it. I will update again if I hear back from either Apple or Microsoft, or if they issue a statement on what went wrong or what you should do about it.
In case you’re curious, this has happened several other times. Here’s a story about a “suspended Apple ID” phishing email that went out back in October, and here’s one that just happened a few weeks ago.
Be careful out there!
UPDATE, 2:50 pm (eastern time). I reached out to Microsoft to see if they wanted to comment on this security breach, and here is their answer: “Phishing is an industry-wide issue, and Microsoft is aware these types of problems occur. We are committed to helping consumers have a safe, secure and positive online experience. Our general guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.” – Microsoft spokesperson
I feel so much better, don't you?