Scam Email – Apple iCloud

Millions of people own Apple devices, so it’s inevitable that scammers will try to take advantage of that. I mentioned an iTunes scam last year, but even more common and dangerous are scams that try to access your iCloud account, and I’ve received one such email this week. It’s not the first and it won’t be the last.

Of course, Apple will never send out emails claiming your account information is incorrect. They also won’t use pop-up ads, phone calls or text messages of this nature either, which some scammers are also trying to do. So never give your details to anyone who contacts you out of the blue claiming there are issues with your iCloud account, and don’t click on any links they provide either.

If you are ever worried about your iCloud account’s security, change your Apple ID password immediately and contact Apple Support via their official website if you need further help. If you’ve given out any banking details, tell your bank as well. You should also report these emails to Apple by following the instructions on their Suspicious Emails page. I’ve included advice from Apple at the end of this post too, in case you think your Apple ID has been compromised.

So let’s get on to the email. As usual, it has clear giveaways as to how fake it is. If you’ve followed my scam posts before (and I notice they do get viewed very regularly), none of this will be new to you. But a reminder’s always good.

The Email

From: Support

To: Me

Subject: iCloud account limited for security reasons

Dear Customer,

We’ve noticed that some of your account information appears to be missing or incorrect, to avoid the closure of your account please sign in to your Apple ID and securely amend the information in your account. If we don’t receive the information before this deadline, we will be forced to disable your account for security reasons.
Please amend your account information by clicking on the link below :

Sign In and Review

Note:

If your account is disabled you will not be able to use your iCloud to unlock your iPhone or be able to use any of the iCloud or App Store features.

Thank you for your patience and understanding. If you need further assistance please click Help at the bottom of Apple page.

Sincerely,

Apple Inc.

_____________________________________________________________________

This is an automatically generated email, Please do not reply
Read our privacy policy, Security and Protection if you have any questions
Copyright © 1999-2019 Apple Inc All Rights Reserved.

From Address

The name displayed is “Support”, but clicking on the name reveals the address behind it is noreplay@uca.ac.ma. That’s nothing to do with Apple or iCloud whatsoever – their emails always come from an address ending in apple.com. But in this case, the “.ma” domain is for Morocco, and the “.ac” part suggests an academic institution like a university. The best match for that seems to be Université Cadi Ayyad, whose website address is www.uca.ma. Also, I think the scammer is trying to use a “no reply” address, like many companies do, but they’ve misspelt it as “no replay” instead.

So everything about the From address is wrong. You don’t need to go any further to know that the email is a scam, but let’s carry on anyway, as scammers do create more realistic From addresses than that sometimes.

To Address

The scammers have sent it to me directly, as my email address is in the To field (rather than just “Undisclosed Recipients”, which would mean my name is on the blind copy list). Seeing my email address here does not prove it’s real though. I can see it because my name’s on a scammer’s mailing list and, as you’ll see later, they’ve sent the email out using a mailmerge service designed for newsletters. Also, my mail account filtered it as Junk anyway, so it was automatically recognised as dodgy. But that won’t happen for everyone, which is why I make posts like this.

Subject

“iCloud account limited for security reasons” – It’s an attention grabber of a subject line to someone who’s not familiar with scams like this. And it’s even spelt correctly. But having established from the From address already that it’s fake, and the fact that Apple don’t send out emails of this nature, we can ignore this.

Logo

The Apple logo is included to make it look official. It’s amazing the effect a simple logo can have really. It can have the same effect as someone in real life putting on a uniform and pretending to do a particular type of job. But a logo is just an image, and copying them is child’s play. So don’t trust an email just because it has the company branding on it, that means nothing. It’s far too easy to replicate.

Message

As usual, the message has various tell-tale signs that it’s a scam:

• “Dear Customer”
  Apple will always address people by name, not a generic greeting like this.
• “We’ve noticed that some of your account information appears to be missing or incorrect, to avoid the closure of your account please sign in to your Apple ID and securely amend the information in your account.”
  Two sentences have been rolled into one here, so it doesn’t flow properly. There should be a full stop after “incorrect”, so the next sentence starts with “To avoid the closure…”.
• “If we don’t receive the information before this deadline…”
  They haven’t specified a deadline. The email doesn’t say when this needs to be done by.
• “Please amend your account information by clicking on the link below :”
  There’s a space before the colon, which is wrong.
• “Note:”
  The note following this heading is in large bold text. But the word “Note:” itself is in small plain text, which looks very odd and inconsistent compared to the note it’s referring to.
• “If you need further assistance please click Help at the bottom of Apple page.”
  The grammar is poor here. Perhaps they’ve missed a word and it should say “the Apple page” instead, but even that doesn’t really sound right. “The Apple website” might be better, but even if you go to Apple’s official site, there isn’t a Help link at the bottom anyway (apart from Shopping Help, which wouldn’t apply here). So no matter how the above sentence is worded, it’s referring to a link that doesn’t exist. The actual link you would need is Support at the top of the Apple website.
• An official Apple footer has also been added to make the message look authentic. But again, we already know that it’s not real by this point.

Link

The text of the link (“Sign in and Review”) isn’t centred over the button it’s placed across, so it looks very misaligned.

And hovering over the link shows that it’s pointing to a very messy address at sendgrid.net, which again has nothing to do with Apple. In fact, Sendgrid are a legitimate company that let you generate and send out email newsletters. So the scammer is using their system to send out scam emails to people on a mailing list. Hence each email has the recipient’s own address in the “To” field, as they all get sent out individually.

When you get emails via a newsletter company like this, the links in the email will initially point to that newsletter company’s website. The link contains a special tracking code, which allows account holders to track how many people have clicked on their links, and modify their email campaigns accordingly. The email recipient is then redirected to the actual destination. It happens in a second, so you don’t notice. And it’s perfectly normal behaviour for companies and charities that send out email newsletters.

But for scammers, it also means that you don’t know where the link is actually going to take you until you’re quickly redirected, which is great for them. Clearly in this case it’s not going to be the Apple site. Apple wouldn’t use a newsletter company like this, they don’t need to. They link directly to their website.

Obviously I didn’t want to click the link to find out where it was going, in case the destination has viruses that would be downloaded to my machine. So instead, I pasted the link into a redirect tracer, which does the work for me. And in this instance it turns out the link will take you to visitworld.com.py/apple, which is where the scam is hosted (so don’t go there!). That website appears to be for a travel agency in Paraguay called Visit World (who are on Facebook here). Either they’ve been hacked or they’re directly involved, I don’t know. But they’re clearly not Apple in any case.

The Scammer

I don’t usually get the chance to name those responsible, but when examining the source code of this particular email, I saw a comment that says “<! SPYUS TEAM !>”. I’ve had a very careful look at one of their websites, at spyus.org, and it’s riddled with typos and grammatical errors like their emails. They illegally sell mailers, scripts, bots, etc for people to run scams, including Apple, Netflix and Paypal scams. So they may well be responsible for the Netflix and Paypal scams I’ve had in the past.

But in this instance we can be sure that an amateur scammer has bought Spyus products to run a scam to get people’s personal details. And as noted earlier, that buyer appears to be based in a Moroccan university, if the From address is any indication. But it could easily be a fake address, of course. But it wouldn’t surprise me if it was a lonely student desperate for attention.

Spyus themselves are also lonely and attention-seeking by definition, but they appear to be from Jakarta, Indonesia instead, at least according to the Facebook profile where they advertise their scams. I’ve saved copies of all the posts and photos and the entire friends list from that profile, and I’ve reported it to Facebook of course, so hopefully they’ll take notice. Likewise, I’ve also reported their Youtube channel, where they illustrate how realistic their scams look. Both pages are still up at the time of writing, so please report them as well if you can. I’ve also highlighted Spyus in the report I sent to Apple of course. And I’ve also tagged Apple, Paypal and Netflix on Twitter to alert them as well.

Of course, like any scammers, even if they get taken down they’ll just keep popping up again with new names, new websites, etc. But the more we can report them to the relevant organisations, and expose them online for the lowlife criminals that they are, then any slight disruption it causes to their business is a good thing.

Apple’s Advice

For completion, this is the advice I received in the automated response from Apple’s phishing mailbox. It’s important to read this if you want to know more about phishing scams or if you believe your Apple ID has been compromised:

Thank you for reporting a suspected phishing email to Apple. This message was automatically generated in response to your report to let you know that we received it. Please don’t reply to this message.

If you think you might have entered personal information like a password or credit card info on a scam website, immediately change your Apple ID password.

Scammers use any means they can—fake emails, pop-up ads, text messages, even phone calls—to try to trick you into sharing your information, like your Apple ID password or credit card number.

To help protect your personal information, use two-factor authentication for your Apple ID, and never share your Apple ID password or temporary verification codes with anyone.

Learn more about security and your Apple ID.

Learn how to protect yourself from phishing and other scams.

Conclusion

Apple iCloud scams, in their various forms, are very common, so always be wary of a random message claiming that your account has a problem. Never give information out to anyone who contacts you out of the blue like that, and never click on links in unsolicited emails or suspicious pop-ups that claim your account has an issue. That doesn’t just apply to Apple either – it’s important to be cautious about messages for any accounts you have, especially if you’re being asked to resubmit your details. If in doubt, always contact the company via their official website. Stay safe!