Thursday, 8 January 2015 Apple phishing

Account verification/ Billing information/ billing details/ account details Apple phishing emails,which were reported on the blog earlier, are back again.

Lots of different From addresses and Subjects.

Sample Message headers:
Subject: Account deactivated - action required
Subject: Account verification failed
Subject: Account verification required
Subject: Billing information expired
Subject: iCloud Account verification failed
Subject: Please confirm your billing details
Subject: Please update your account details
Subject: Your Apple account requires verification

From: "Apple Co" {}
From: "Apple Ltd" {}
From: "Apple Org" {}
From: "Apple Org" {}
From: "Apple SarL" {}
From: "Apple support" {}
From: "AppleID Support" {}
From: "Your Apple support" {}
From: "Your Apple support" {}

Sample Message body:
Dear Apple User,
We are constantly working to increase security for all our users, and to ensure maximum account security we periodically check and review accounts.

Your account has be placed on restricted status as we were unable to verify some of the billing information associated with your account. This can be due to either of the following reasons:

1. A recent change in billing information
2. Invalid billing information entered intially during the registration process.
Please note that we are obligated to deactivate accounts that are not verified withing 3 days.
In order to complete account verification, please visit the reference link below to update your billing information:
Apple Online Accounts Support

The above link to Apple site, doesn't take you there but instead takes you to a fake phishing site:
The fake phishing site above looks like this:
The fake apple domain was recently set-up, details here:
   Sponsoring Registrar IANA ID: 1564
   Whois Server:
   Referral URL:
   Name Server: NS-UK.TOPDNS.COM
   Name Server: NS-USA.TOPDNS.COM
   Status: clientTransferProhibited
   Updated Date: 08-jan-2015
   Creation Date: 07-jan-2015
   Expiration Date: 07-jan-2016

Registry Domain ID: 1894514293_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2015-01-08T19:20:30Z
Creation Date: 2015-01-07T18:12:24Z
Registrar Registration Expiration Date: 2016-01-07T18:12:24Z
Registrar: TLD Registrar Solutions Ltd.
Registrar IANA ID: 1564
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +44.7546458118
Registry Registrant ID: 
Registrant Name: Marcin Wozniak
Registrant Organization: 
Registrant Street: 212 HOOVER STREET
Registrant City: Napa
Registrant State/Province: California
Registrant Postal Code: 94559
Registrant Country: US
Registrant Phone: +1.324710248
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email:
The fake phishing site will also ask you to hand over your credit card details too....


1 comment:

Wayne Stephenson said...

Just received the mail myself. Nice work, saved me going through all the message body contents :)