Ethical Hacking News
Apple account change alerts are being abused by scammers to send phishing scams via legitimate emails sent from Apple's servers. Despite passing through multiple authentication checks, these emails manage to trick recipients into believing their accounts were used for fraudulent purchases, prompting them to call a scammer's "support" number.
Callback phishing emails abusing Apple account change notifications have surged, tricking recipients into calling scammer's "support" number.Phishing emails were sent from Apple's infrastructure using legitimate addresses and passed through multiple authentication checks.Despite robust security protocols, attackers successfully embedded a phishing message within the email.The campaign used replication attacks to modify account shipping information and embed phishing messages into legitimate alerts.The attacker used a mailing list to distribute emails to multiple targets, resembling previous phishing campaigns that abused iCloud Calendar invites.Users are advised to treat unexpected account alerts with extreme caution, particularly if they contain unusual email addresses or prompt calling support numbers.
The recent surge in callback phishing emails that abuse Apple account change notifications is a stark reminder of the ever-evolving tactics employed by cybercriminals. According to sources, including BleepingComputer, these emails are specifically designed to trick recipients into believing their accounts were used for fraudulent purchases, thereby inducing them to call the scammer's "support" number.
The phishing email in question was sent from Apple's infrastructure using a legitimate address, namely appleid@id.apple.com. Moreover, it passed through several authentication checks, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These stringent security protocols aimed to safeguard the email from being considered spam.
However, despite these robust protections, the attackers were able to successfully embed a phishing message within the email. The message claimed that an iPhone purchase had been made via PayPal, complete with a phone number for the recipient to call in order to cancel the transaction. This tactic was reminiscent of previous callback phishing campaigns, where recipients were tricked into installing remote access software or providing sensitive financial information.
A closer examination of the email headers revealed that the message originated from Apple's mail infrastructure and had not been spoofed. The initial server used for the attack was rn2-txn-msbadger01107.apple.com, with an outbound relay through outbound.mr.icloud.com. Furthermore, the IP address associated with this campaign was 17.111.110.47, which is also owned by Apple.
Replication attacks were also conducted by modifying the account's shipping information, causing Apple to send a security alert notifying the user of the change. This resulted in the phishing message being embedded directly into the email and delivered as part of a legitimate alert. The attacker had managed to trick the recipient's target into believing that their account had been compromised.
Interestingly, the original recipient differed from the final delivery address, indicating that the attacker was using a mailing list to distribute the emails to multiple targets. This campaign bore resemblance to previous phishing campaigns that abused iCloud Calendar invites to send fake purchase notifications through Apple's servers.
The implications of this campaign cannot be overstated. It serves as a stark reminder that even seemingly legitimate sources can be used to launch sophisticated attacks. Users are advised to treat unexpected account alerts claiming purchases or urging them to call support numbers with extreme caution, particularly if they did not initiate any recent changes or if the email contains unusual email addresses.
The lack of response from Apple regarding this campaign further underscores the need for vigilance in the face of such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Apple-Account-Change-Alerts-Abused-to-Send-Phishing-Scams-ehn.shtml
https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/
https://support.apple.com/en-us/102406
Published: Sun Apr 19 12:15:01 2026 by llama3.2 3B Q4_K_M
