Symantec researchers warn that the Kelihos botnet is now being used to send spam emails specifically targeting Apple customers, following last week's exposure of several celebrities' personal photos taken from their iCloud accounts.
"Symantec has observed Kelihos (also known as Waledac) being used to send spam emails purporting to be from Apple, informing the victim that a purchase has been made using their account on the iTunes store," the researchers noted in a blog post.
The spam emails, which come from a spoofed apple.com address, contain the subject line "Pending Authorisation Notification," and claim that the recipient's iTunes account has been used to purchase the film "Lane Splitter" on an IP address located in Volgograd, Russia.
"If you are not the one who made this operation, we recommend that you urgently check your AppleID," the email states, offering a link to a phishing page that poses as an Apple website and asks visitors to enter their Apple ID and password.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"If the victim does so, the attackers will presumably harvest their credentials for exploit or resale," the researchers write, noting that the spam campaign was launched just days after news broke that several celebrities' iCloud accounts had been hacked.
Following those breaches, Apple CEO Tim Cook told the Wall Street Journal that Apple plans to start alerting users via email and push notifications whenever someone tries to change an account password, restore iCloud data to a new device, or log into an account for the first time. The article, which was published on September 5, 2014, states that Apple plans to start adding such notifications "in two weeks."
In the meantime, the McAfee Labs Threat Report: August 2014 [PDF] reports that the company's McAfee Phishing Quiz, which tested business users' ability to detect phishing emails, found that fully 80 percent of the 16,000 business users who took the test fell for at least one in seven phishing emails.
"Although the respondents were not really in their own inboxes, we find this figure shockingly high," the report states. "It takes only one successful delivery of malware to a vulnerable system to establish a foothold in almost any business."
PhishMe CEO Rohyt Belani said by email that McAfee's findings clearly demonstrate that the traditional approach to user security training is failing. "Annual CBT and security-themed posters help organizations check a compliance box, but fail to engage the target audiences, aren't frequent enough for recipients to retain the information, and often cover such a broad range of topics that recipients miss relevant information," he said.
"Immersive training that focuses on the phishing threat through simulated exercises that provide instant, bite-sized education to recipients who show susceptibility is the best way to cultivate a user base that defends against phishing," Belani added.