This morning I received an e-mail claiming to be from Apple. The e-mail said that my Apple ID has been suspended. This is obviously a scam, but I wanted to check it more thoroughly.
Screenshot of the e-mail below:
First I wanted to see if my Apple ID had really been suspended. I started the iTunes app and logged into my account successfully. This kind of simple test can save you from a lot of trouble.
This e-mail has three alarming signs:
- Sender: firstname.lastname@example.org. Apple doesn’t use ssl.com e-mail addresses. Note that many e-mail clients do not show the sender’s e-mail address by default
- Spelling: the word “therefor” is valid, but not commonly used. Therefore I consider it as a spelling mistake
- It was sent to an e-mail address that is not linked to my Apple ID
The source code of the e-mail reveals the sender’s IP address and related domain name fj.djd.com. It also reveals where the “check here to validate your account information” link points to: http://eu-ssl.com. Virustotal detection ratio for this URL is 7/65. The link leads to a phishing site:
- No secure connection (https) is used. Most phishing sites do not support secure connections
- The long domain name: support.apple.com.en-gb.confirm.id.auth.cgi-key.myapple-unlock.user-eu6.ssl-eu.net.
It is very common to add the name of the target site (support.apple.com) and some technical jargon like “auth.cgi-key” to the URL. The attacker’s domain is ssl-eu.net. The rest is put there just to fool users
Virustotal detection ratio for the phishing URL is 4/65.
Further reading: Identifying fraudulent “phishing” email by Apple