You may have a keen eye for spotting scams, but scammers are finding new ways weaponize trusted systems to avoid detection. For example, attackers generate genuine Apple support tickets to phish two-factor authentication (2FA) codes and gain access to iCloud accounts.
Scheme, in detail on Medium Security researcher and software product manager Eric Moret shows how social engineering tactics can sow enough fear and confusion to fool even those who know the red flags. ( money transfer fraud another example is when he defrauded a financial advice columnist out of $50,000.)
How scammers exploit Apple's support system
The Apple Support scam began with a text message from Apple containing a 2FA code, followed by verification notifications on all devices indicating that someone was trying to log into Moret's account. He then received an automated call from Apple with a different 2FA code. The text was delivered via a five-digit short code and the call was from a toll-free number, both of which are used by legitimate businesses and are not necessarily a scam signal.
However, the next call came from a 404 number in Atlanta. The caller stated that he was calling from Apple support, stated that Moret's account was under attack, and assured him that they were opening a support ticket. In a follow-up call that lasted 25 minutes, Moret received an actual email confirmation of the Apple support call (turns out anyone can create an Apple support ticket in someone else's name) and was instructed to reset his iCloud password.
He was then sent a link via text – this time from a 404 number – to close the ticket. After clicking through, Moret was redirected to a phishing website that spoofed the real Apple page (the URL was Apple-Apple).[dot]com), where he was asked to enter the 6-digit 2FA code he had just received via text message. Then an email to his inbox alerted him that an unknown Mac mini had been used to log into his iCloud account, which the representative told him over the phone was “expected as part of the security process” and “standard operating procedure.”
Moret then immediately reset his iCloud password again to disable the rogue device.
In hindsight, it might be easy to see the signs: an unwanted call about an urgent security issue, a 404 number, a phishing link that isn't a real Apple subdomain, an authentication code request. But the ticket to Apple support is with a real case number and official emails from apple.com domains – provided enough trust, and multiple 2FA notifications – provided enough urgency to work.
What are your thoughts so far?
This is the problem with social engineering. It manipulates emotions and instincts that are stronger than logic and reason, leading to actions that are not in our best interests.
How to Stay Safe
As always, you should be wary of anyone who calls, texts, or emails you about security or account issues, even if you have received genuine security alerts or they have a valid case number. Do not click on links, enter credentials or give out codes when asked to do so by these unwanted callers. Do not accept assurances from anyone over the phone, no matter how calm and confident they sound.
If you are concerned, you should contact us directly using trusted contact information or open a support ticket yourself. Always check URLs and subdomains carefully as they can be tricked by hackers. make them look legit.
Also, know that simply enabling 2FA is not enough to keep your accounts secure. Some forms are (obviously) easy to phishing, so if possible you should use multi-factor authentication method for example, a hardware key or WebAuthn credentials (biometrics and access keys) rather than codes.
