Phishing Apple’s iDisk

Apple's MobileMe is a collection of online services and software. Among its various services is a file-hosting service called iDisk. Recently, Symantec has recorded phishing sites that spoofed iDisk’s Web page. The phishing sites were hosted on a free Web-hosting site.

So, what’s in this service that interests phishers? The service is based on a paid subscription, with which files of up to 20 GB can be uploaded and shared. Phishers are looking to gain access to this service for free. This is an example of a phishing attack targeting user information for reasons other than financial gain.

The phishing site prompts the user to enter their password for logging in. (In this case, the user ID was already populated on the phishing page.) After the password is entered, the page redirects to the legitimate Web page of Apple MobileMe with an error message for an invalid password, which creates the illusion that a common error had occurred.

The phishing URLs contained a query string in which a particular value represented a user’s ID. Changing the value of this ID within the query string would accordingly be reflected on the phishing page. Below is a sample phishing URL:

hxxp://******.com/test?authenticate_username=****** [Domain name and User name removed]

Typically, phishing sites are sent to customers through spam mails in which the message does not specify the customer’s name. For example, spam email messages are addressed as “Dear Valued Customer” or “Dear Member.” By specifying the user ID, phishers are attempting to gain the user’s confidence. This brings us to another question: from where do the phishers get these user IDs?

The user IDs are taken from email addresses. For example, in [email protected], phishers are considering “user001” as the user ID. The email addresses, on the other hand, are those that have been previously harvested by spammers. Although the user IDs retrieved in this manner may not necessarily represent an actual MobileMe user ID, phishers are simply trying their luck by targeting a large number of users.

Internet users are advised to follow best practices to avoid phishing attacks:
•    Do not click on suspicious links in email messages.
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up page or screen.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.


My thanks go out to the co-author of this blog, Ashish Diwakar.