This morning I received an e-mail claiming to be from Apple. The e-mail said that my Apple ID has been suspended. This is obviously a scam, but I wanted to check it more thoroughly.

Screenshot of the e-mail below:

apple-id-phish-email-10-2015

First I wanted to see if my Apple ID had really been suspended. I started the iTunes app and logged into my account successfully. This kind of simple test can save you from a lot of trouble.

This e-mail has three alarming signs:

  • Sender: no-reply@appleid.ssl.com. Apple doesn’t use ssl.com e-mail addresses. Note that many e-mail clients do not show the sender’s e-mail address by default
  • Spelling: the word “therefor” is valid, but not commonly used. Therefore I consider it as a spelling mistake
  • It was sent to an e-mail address that is not linked to my Apple ID

The source code of the e-mail reveals the sender’s IP address and related domain name fj.djd.com. It also reveals where the “check here to validate your account information” link points to: http://eu-ssl.com. Virustotal detection ratio for this URL is 7/65. The link leads to a phishing site:

apple-id-phishing-10-2015You should carefully check the address bar, because it might reveal the true nature of the website:

  • No secure connection (https) is used. Most phishing sites do not support secure connections
  • The long domain name: support.apple.com.en-gb.confirm.id.auth.cgi-key.myapple-unlock.user-eu6.ssl-eu.net.
    It is very common to add the name of the target site (support.apple.com) and some technical jargon like “auth.cgi-key” to the URL. The attacker’s domain is ssl-eu.net. The rest is put there just to fool users

Virustotal detection ratio for the phishing URL is 4/65.

Further reading: Identifying fraudulent “phishing” email by Apple