Bitdefender this week has detected a new phishing campaign targeting iPhone owners with a range of scams aiming to defraud unsuspecting victims.
First things first. If you receive the email pictured below, steer clear! Don”t open if it”s marked as spam. If it arrives as legitimate, don”t click on any link inside! That includes the Unsubscribe button at the bottom. Mark it as junk and move along. It”s your typical phishing scam, preying on the unsuspecting (likely elderly) user.
Now, you may still be curious what”s behind it. Well, it”s our job to investigate spam emails and the devious phishing scams they promote. In other words, we”ve done the hard work, so you don”t have to find out the hard way.
First, let”s take a look at the immediate signs that it”s a scam.
Suspicious email sender â€“ The name of the email sender is Nerve Renew, yet the email address is firstname.lastname@example.org. The discrepancy alone should raise an eyebrow. In any case, the information in the “From” header is easily forgeable, so the address could have been anything else and still work as intended.
Invalid recipients â€“ A telltale sign this scam went to countless other email addresses harvested by hackers in various data breaches and subsequently sold to spammers for use in spam/phishing/fraud campaigns. On the desktop version of iCloud, it says “undisclosed recipients.” On iOS, the recipient appears as [an10]@icloud.com, which means the spammers were either negligent and used one or more invalid email addresses, or it can point to a scripting error. In any case, the signs are there that something is not quite right.
Email body is a picture â€“ You cannot copy the contents and paste it elsewhere. The sender wants to keep us inside the email body, clicking the malicious links inside.
Renewal â€“ If you haven”t subscribed to anything even remotely dealing with “Neuropathy,” you have no reason to believe this email was meant for you personally, let alone that you”re supposed to renew anything.
Miraculous “solution” â€“ The miraculous solution is one of the most common baits in phishing scams. Never fall for it!
Shortened URL â€“ Analyzing the email on a desktop computer reveals another clue. Hovering the mouse pointer over the ad reveals the link behind. And it”s shortened â€“ another sign pointing to a shady sender. This scam only works when you open the link on your iPhone, though it”s harder to test this on iOS. Basically you have to long-tap the ad and use the “copy link” option, then paste it elsewhere (like the Notes app) to see it. However, as we do this, iOS”s Email client starts to load the link in a background preview window, essentially allowing the scam to unfold. So, don”t do this! Remember, we”re doing all this so you don”t have to.
These are just some immediate clues that point to this being a typical phishing email. Now, let”s see what”s behind this miraculous neuropathy cure it seems to advertise.
Clicking on the ad inside the email body takes us through a seemingly endless redirect loop until we finally land on what appears to be a dating app. Right off the bat, we notice we have left the realm of neuropathy.
The scammers meticulously localized their dating app to display the messages in the recipient”s language, in our case, Romanian. Although Anna”s Romanian isn”t flawless, she could pass for a native. And she seems suspiciously interested in getting together even though she knows nothing about us.
Following through with Anna”s alluring invitation to chat yields a premium-rate phone call. If we were to fall into the trap and call Anna, we”d likely get charged a fair amount. Steer clear! It”s a trap! The girl in the picture is not Anna. Rather, it”s a chatbot. And the photo was likely harvested randomly from social media.
After kindly declining Anna”s tantalizing offer, we went back to the original email to see if it yielded the same scam over and over. Not surprisingly, it didn”t. Preying on the diversity of people”s tastes and guilty pleasures, the scam this time greeted us with a slots game.
The game is decently executed but immediately gives itself away as trickery. It tries to send us off to a place where they”ll harvest our data for potentially fraudulent activities.
This time, the Safari browser itself came to the rescue. Good job, Apple!
Reloading the scam a third time yields yet another interesting racket. This time we are greeted by another language-localized swindle trying to scare us into believing we”ve been infected with a virus. In fact, the page claims even our phone”s battery somehow got the flu. This is, in fact, a big fat lie.
The security prompt lookalike is enough to trick an unsuspecting user into believing this warning comes from the iPhone”s built-in security mechanisms. However, we”re actually looking at a rigged website inviting us to download a so-called solution to our problem.
A rough English translation of the message goes like this:
“Multiple viruses have been detected on your iPhone and your battery has been infected and deteriorated. If you don”t eliminate this piece of malware now, your phone stands to incur additional damage.”
It then tells us the only way to fix the problem is to download the app. How convenient! Here”s where it gets interesting. If we naively follow through, we are taken not to a typical scam like the ones above, but to a legitimate app in the official Apple App Store. That”s right: an app supposedly reviewed and approved by Apple”s stringent reviewers. Tsk tskâ€¦!
Here, we encounter a plethora of further signs that we”re being ripped off.
While ColibriVPN seems like an innocent virtual private network app, it”s actually a rather shady piece of software. Upon starting, it immediately greets us with a prompt to start a free trial that gets automatically renewed after three days, and it”s easy to make expensive in-app purchases by mistake.
Taking a quick stroll over to the ColibriVPN App Store page reveals that Dares LLC, the seller of the app, has only this one app on sale. The in-app purchases are exorbitant – $61.99 for six months of full service – and the reviews are mostly fake. Here are a couple of examples:
With a keener pair of eyes, we can spot a couple of negative reviews too.
Navigating over to the developer”s official page yields what looks like a dummy website with no working buttons — another clue that things are likely just set up to look legit. We can”t say for sure if Dares LLC or colibrivpn.com are in any way affiliated with the scammers. Maybe they just paid for a shady advertising avenue without knowing their “business model.” Maybe their web developer dozed off on his keyboard. We”ll give ColibriVPN the benefit of the doubt. But it has enough kinks to earn it a second look from Apple”s reviewers.
Remember the Unsubscribe button we told you to also avoid? Turns out, the unsubscribe button takes us to a page that asks us to enter our email address.
Ask yourself this? If the sender had your email address to begin with, why are they asking for it again? The answer is simple. Spam and phishing campaigns use spray-and-pray techniques, which means the scam gets sent to millions of email addresses, including some that are inactive. It may just be that they”re trying to validate once again that your email address is active, so they can refresh their list and mark you as ripe for upcoming scams. So don”t follow through with the Unsubscribe feature either.
Hopefully you”ve armed yourself with enough knowledge to help you steer clear not just of this phishing campaign, but others like it. To be completely on the safe side, we recommend using Bitdefender Mobile Security for iOS.
The Web Protection feature, which we”ve just added, blocks any dishonest pages targeting your personal information such as your credit card details or Social Security number. With the Account Privacy feature, you can find out whether your email account has been leaked, or if your account is still private. Bitdefender will run a check to discover if your privacy has been breached and let you know if it”s time to change passwords. Oh, and if you are indeed interested in a powerful VPN for your iDevice, Bitdefender Mobile Security has that built-in as well.
That”s it from us. Until next time, stay safe!
Note: Many thanks to Adrian Miron, Manager, Content Filtering Lab (Antispam), Bitdefender, who provided the technical information for this article.
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.View all posts
May 16, 2023
March 10, 2023
June 06, 2023