Skip to content

Phishing Email Targets iCloud Users, Stealing Password, Credit Card and Security Questions.

September 7, 2014

The leaks of certain celebrities’s private photos on August 31, 2014 was purportedly stolen through iCloud. Apple released a statement:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

On Sunday, September 7, 2014, we are receiving reports of Phishing email targeting iCloud users.

All the images in the email are actually linked from Apple’s server. A common technique used in Phishing emails.

Phising-Email-Apple-iCloud

Notice the address at the bottom of the Phishing email, it doesn’t even make any sense. Mixing up UK and US addresses.

The link goes to icaresupportplus.com/myicloud, designed to capture iCloud passwords from unsuspecting victims.

Phishing icaresupportplus.org slash icloud 

Phisihing icaresupportplus.org SSL Certificate

After stealing iCloud user’s password, this rabbit hole goes deeper.

Phishing-Attack-iCloud-icaresupportplus.org-Forms

It asks for personal informations including:

Billing Address

Phishing-Attack-iCloud-icaresupportplus.org-Address

Credit Card information

Phishing-Attack-iCloud-icaresupportplus.org-Credit-Card

Security Questions, Date of Birth and Mobile Number

Phishing-Attack-iCloud-icaresupportplus.org-Security-Questions

Whois information on icaresupportplus.org:

Domain Name:ICARESUPPORTPLUS.ORG
Domain ID: D173863788-LROR
Creation Date: 2014-09-07T17:14:09Z
Updated Date: 2014-09-07T17:32:39Z
Registry Expiry Date: 2016-09-07T17:14:09Z
Sponsoring Registrar:Register.IT SPA (R124-LROR)
Sponsoring Registrar IANA ID: 168
WHOIS Server:
Referral URL:
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: serverTransferProhibited
Domain Status: addPeriod
Registrant ID:a5aa7c4caad3
Registrant Name:Andy Drummond
Registrant Organization:Andy Drummond
Registrant Street: 2 Heath Lane Cottages, Startley
Registrant City:Chippenham
Registrant State/Province:Wiltshire
Registrant Postal Code:SN15 5HH
Registrant Country:GB
Registrant Phone:+44.7482992002
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:andydrummon@onlinesales.com
Admin ID:a5fc85e2fa64
Admin Name:Administrator Domain
Admin Organization:Namesco Limited
Admin Street: Acton House, Perdiswell Park
Admin City:Worcester
Admin State/Province:England
Admin Postal Code:WR3 7GD
Admin Country:GB
Admin Phone:+44.8453633630
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:transfers-auth@names.co.uk
Tech ID:TC-a5fb9a8ae9
Tech Name:Namesco Limited
Tech Organization:Namesco Limited
Tech Street: Acton House, Perdiswell Park
Tech City:Worcester
Tech State/Province:England
Tech Postal Code:WR3 7GD
Tech Country:GB
Tech Phone:+44.8453633630
Tech Phone Ext:
Tech Fax: +44.8453633631
Tech Fax Ext:
Tech Email:register.it@names.co.uk
Name Server:EMMA.NS.CLOUDFLARE.COM
Name Server:KANYE.NS.CLOUDFLARE.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient’s own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

The phishing email was purportedly sent from notice@icloudmaildirect.com.

Phising-Email-Apple-iCloud-from-noticeaticloudmaildirectdotcom

Whois information on icloudmaildirect.com:

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: ICLOUDMAILDIRECT.COM
Registrar: WEBFUSION LTD.
Whois Server: whois.123-reg.co.uk
Referral URL: http://www.123-reg.co.uk
Name Server: DARL.NS.CLOUDFLARE.COM
Name Server: MIA.NS.CLOUDFLARE.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 07-sep-2014
Creation Date: 07-sep-2014
Expiration Date: 07-sep-2015

>>> Last update of whois database: Sun, 07 Sep 2014 21:55:37 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar’s sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant’s agreement with the sponsoring
registrar. Users may consult the sponsoring registrar’s Whois database to
view the registrar’s reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services’ (“VeriSign”) Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: ICLOUDMAILDIRECT.COM
Registry Domain ID:
Registrar WHOIS Server: whois.meshdigital.com
Registrar URL: http://www.domainbox.com
Updated Date: 2014-09-07T00:00:00Z
Creation Date: 2014-09-07T00:00:00Z
Registrar Registration Expiration Date: 2015-09-07T00:00:00Z
Registrar: WEBFUSION LIMITED
Registrar IANA ID: 1515
Registrar Abuse Contact Email: support@domainbox.com
Registrar Abuse Contact Phone: +1.8779770099
Reseller: 123Reg/Webfusion
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Jennifer Gibson
Registrant Organization: Jennifer Gibson
Registrant Street: High Juniper Cottage
Registrant City: Hexham
Registrant State/Province: Hexham
Registrant Postal Code: NE46 1SN
Registrant Country: GB
Registrant Phone: +44.1434602641
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: amaryllismacintyre@englandmail.com
Registry Admin ID:
Admin Name: Jennifer Gibson
Admin Organization: Jennifer Gibson
Admin Street: High Juniper Cottage
Admin City: Hexham
Admin State/Province: Hexham
Admin Postal Code: NE46 1SN
Admin Country: GB
Admin Phone: +44.1434602641
Admin Phone Ext:
Admin Fax Ext:
Admin Email: amaryllismacintyre@englandmail.com
Registry Tech ID:
Tech Name: Webfusion Limited
Tech Organization:
Tech Street: 5 Roundwood Avenue
Tech City: Stockley Park
Tech State/Province: Uxbridge
Tech Postal Code: UB11 1FF
Tech Country: GB
Tech Phone: +44.3454502310
Tech Phone Ext:
Tech Fax Ext:
Tech Email: yoursupportrequest@123-reg.co.uk
Name Server: darl.ns.cloudflare.com
Name Server: mia.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-09-07T22:55:44Z <<<

The Data in this WHOIS database is provided
for information purposes only, and is designed to assist persons in
obtaining information related to domain name registration records.
It’s accuracy is not guaranteed. By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail(spam);
or (2) enable high volume, automated, electronic processes that
apply to this WHOIS or any of its related systems. The provider of
this WHOIS reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

LACK OF A DOMAIN RECORD IN THE WHOIS DATABASE DOES
NOT INDICATE DOMAIN AVAILABILITY.

If you received this email, please forward the email as attachment to spam@icloud.com

OS X Mail

  1. Open the message and choose “Forward as Attachment” from the Message menu.
  2. Forward the message to iCloud spam@icloud.com.
  3. Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com.

Microsoft Outlook 2010 and Outlook 2013

  1. Choose File > Options.
  2. In the Options window, click Mail in the left-hand panel.
  3. In the “Replies and Forwards” section, note the current setting so that you can change it back later. Then change the “When forwarding a message” setting to “Attach original message”.
  4. Click OK.
  5. Forward the message to iCloud spam@icloud.com.
  6. Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com.
  7. To return Outlook to your previous settings, repeat steps 1 to 4, but in step 3 change the “When forwarding a message” setting back to the way it was. If you don’t remember the setting, choose “Include original message text”.

Microsoft Outlook 2007

  1. Choose Tools > Options.
  2. In the Options window, click Email Options in the Preferences tab.
  3. In the Email Options window, under “On replies and forwards,” note the current setting so that you can change it back later. Then change the “When forwarding a message” setting to “Attach original message”.
  4. Click OK.
  5. Forward the message to iCloud spam@icloud.com.
  6. Forward the message again to abuse@domain, replacing domain with the part of the sender’s email address after the @ symbol. For example, if the sender’s email address is spammer@spammydomain.com, forward the message to abuse@spammydomain.com.
  7. To return Outlook to your previous settings, repeat steps 1 to 4, but in step 3 change the “When forwarding a message” setting back to the way it was. If you don’t remember the setting, choose “Include original message text”.

Be safe.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s