Fake Apple sign‑ins stealing iClouds

A years-long spying campaign used fake Apple sign-in pages to steal iCloud credentials and pull victims’ phone backups from the cloud. (techcrunch.com) TechCrunch reported on April 8 that researchers tied the operation to a hack-for-hire group targeting journalists, activists and government officials across the Middle East and North Africa. The attackers used phishing to get Apple account logins, then accessed iCloud backups and Signal accounts. (techcrunch.com) A backup is the copy of an iPhone’s data stored on Apple’s servers, and it can include messages, photos, app data and device settings. Once attackers get the Apple account login tied to that backup, they can try to download a broad snapshot of the victim’s phone. (icloud.com) (9to5mac.com) 9to5Mac said on April 13 that Lookout’s investigation found nearly 1,500 web addresses built to impersonate legitimate services and host phishing pages or other malicious infrastructure. In the Apple-focused part of the campaign, the fake pages were designed to capture Apple account credentials. (9to5mac.com) A separate wave of Apple-themed phishing has used urgent messages that say iCloud storage is full or that photos will be deleted unless the user upgrades. TechRadar, citing consumer group Which?, said the messages push victims to click links that lead to fake payment or sign-in pages. (techradar.com) Forbes reported on April 12 that one version warned users that “all your photos will be deleted,” while Cybernews described emails claiming photos and videos would soon stop saving unless storage was upgraded. The common tactic is urgency: a deadline, a warning, and a button that sends the user somewhere other than Apple. (forbes.com) (cybernews.com) Apple’s own guidance says not to use links or phone numbers from unexpected messages, emails or calls that ask for personal information. The company tells users to go directly to a known Apple website or to open Settings on their device instead of tapping through from a warning. (support.apple.com) Apple also says it will never ask for passwords, device passcodes or two-factor authentication codes to provide support, and suspicious emails about Apple can be forwarded to reportphishing@apple.com. If an account may already be compromised, Apple says users should change their password immediately and review which devices are signed in. (support.apple.com 1) (support.apple.com 2) The thread running through both campaigns is simple: a fake Apple page can be enough to unlock the real iCloud account behind it. The safest response to an iCloud warning is to ignore the message, open Apple’s apps or website yourself, and check the account there. (support.apple.com)