I got the following phishing email from “Apple”:
Your ApрIe ID ( xxx ) was used to sign in to other device. Date and
Time: 16 August 2017, 04:28 PM (GMT+10) Operating System: LinuxIf you have not logged in recently and feel someone is logged in to
your account ,go to ApрIe ID ( Verification your account ) and update
your account.ApрIe Suρρort
The “Verification your account” text contains a hyperlink to https://t.co/ccFy4cn8jr?=redirect
.
When I click that link I get redirected to what looks like the official Apple website. How is this possible? Has the t.co
link been adjusted/modified/redirected to protect people from going to the malicious website?
When I submit the HTTP request I receive the following response:
<head>
<noscript>
<META http-equiv="refresh" content="0;URL=https://appleld.apple.com.3c8fcfcffe480bc910-verify.info/?adu">
</noscript>
<title>https://appleld.apple.com.3c8fcfcffe480bc910-verify.info/?adu</title>
</head>
<script>window.opener = null; location.replace("https:\/\/appleld.apple.com.3c8fcfcffe480bc910-verify.info\/?adu”)</script>
Visiting https://appleld.apple.com.3c8fcfcffe480bc910-verify.info/?adu
correctly triggers a “Malicious site detected” warning, unlike clicking the original t.co
link.
What is happening here? Why does clicking the t.co
link take me to the legitimate Apple website, when I should instead be redirected to a phishing website? Is it possible I am done any harm here caused by cross site scripting? Or is it only redirecting to a fake website?
Best Answer
That is not the legitimate Apple ID website. Notice the lowercase
l
in the URL in place of an uppercasei
. Not only that, the actual domain issomething-verify.info
rather than apple.com.In this case
appleld.apple.com
is merely a subdomain, and since anyone can register anything as a subdomain on their own site, they should have kept thati
instead of replacing it with anl
. The URL might have looked slightly less suspicious.Report this email as spam/phishing, and if you entered your credentials on that site, immediately head to the real appleid.apple.com and change your password.