Apple Lockdown Mode helps protect users from spyware

Steer Clear of this Apple Invoice Phish

Coming soon to a mailbox near you: a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details.

Phishing email

The email, currently in circulation, reads as follows:

Your invoice No.69513279

Dear Apple ID

Thank you for buying the following product on 10/22/2015 9:03:55 a.m.

Product Name: CoPilot Premium HD Order Number: 57620731 Receipt Date: 10/22/2015 9:03:55 a.m. Order total: 34.99 GBP.

If you did not authorize this purchase, please: Click here for Refund

Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a fake login, via a redirect on a potentially compromised t-shirt website. The phish pages themselves are located at

aut0carhire(dot)com/index/user12-appleid/index(dot)html

Apple Phish

After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information.

Handing over payment info

Confirm your personal and billing information in order to cancel and refund the transaction above:

For your protection, we verify credit card and debit card billing details. The process normally takes about 30 seconds, but it may take longer during certain times of the day. Please click the Confirm button to confirm your information..

Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments.

Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to official Apple pages to find out if a payment really is being processed.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.