Jamf Blog

June 7, 2022 by Jamf Threat Labs

‘No likes’ for iPhone phishing campaign on Instagram

Security, Jamf Threat Labs

Attackers have gotten very good at knowing how to reach you. Sometimes they know your phone number, your email, your place of work, and your colleagues’ names and that would be enough to reach you with a compelling phishing campaign.

But now, thanks to the wafts of personal data changing hands online, attackers also know your interests. Just like brands using your behavior, interests, likes, dislikes and purchase history to target ads to you, attackers are using that information to craft attacks that might be more alluring. This means users are more likely to stumble upon online risks, especially when it comes to attacks distributed on social media where we are very accustomed to having a personalized experience.

Research seen within this article was led by Nikolaos Bloukos.

In February 2022, Jamf Threat Labs discovered a phishing campaign that uses social media as a distribution vehicle. It spreads by tagging users and tricking them into participating in a fake competition to win a new iPhone 13, but there was no real prize. In addition, Apple was not involved in the fake competition.

Initially, the campaign appears to spread scam web content via known techniques such as subscribing the user to receive push notifications, but Jamf’s Threat Labs researchers also discovered the campaign tricks users into providing personally identifiable information (PII) and bank credentials to the attacker.

How it works

The attackers created Instagram accounts, showcasing photos of a person holding a new iPhone 13 device, stating in the caption that you only need to pay $1.95 USD to participate in the competition.

There was a URL (bestevents[.]site) embedded on the fake Instagram account, which lead our research team to a scam website that was hosting the fake iPhone 13 competition that appeared to target users in Greece.

At the time of research, the website was unresponsive and showcased a large number of comments by purported reviewers, to create the illusion that the competition was legitimate. There was even a reply to a comment from an account called “Apple Technical Service” which is not a legitimate Apple account.

Next, our research team was prompted into answering three questions. We tried different responses and they were presented with the same result each time - a prompt claiming “you won.”

After clicking ‘OK’ our researcher was taken down a few different paths with plenty of unsolicited push notifications along the way which can be extremely disruptive for users. We encountered four different examples:

1. ‘I am not a robot’ captcha. The allow button would subscribe the victim to receive push notification alerts from this website.

2. Phishing websites. Multiple versions were seen during the investigation.

3. ‘Your device has a virus’ alert, which would prompt the victim to install a service they didn’t request which, in this case, appeared to be a VPN app.

4. “Your phone needs an urgent update,” which would prompt the victim to install potentially malicious software on their device.

Related accounts

Our research team discovered the account that had spread the campaign was removed from Instagram within 24 hours of discovery. However, the very next day we discovered another Instagram account with the same message about winning an iPhone 13, and the account included a link to a fraudulent Instagram account that used the Amazon logo and hosted the URL my-telefon-life[.]website. This site looks the same as the others, but targeted users in the Czech Republic. This site also resolved back to Russian-hosted IP 185.179.188.139, which is the same as the initial domain discovered.

Related domains

This Russian-hosted IP address resolved to more than 100 additional network resources which leveraged the iPhone 13 brand name, in order to phish PII and credit card information. As observed, the additional Indicators of Compromise(IoCs) appeared to be focused on users in France, Greece, Poland, and the Czech Republic. It is possible that the website redirects the user based on the location of their IP address. This assumption is derived from the fact that our research team based in Europe was brought to websites targeting users in those European countries.

Just as an example, one of those IoCs is claim-iphone-fr[.]site which appears to target users in France.

From this French site, the user is redirected to a phishing website that is impersonating DARTY, a multinational electronics retail company (similar to America’s BestBuy) headquartered in France, in order to pay €1.95 to claim the iPhone 13 prize.

It is worth mentioning some key indicators which reveal that the website was malicious. First, every button or embedded hyperlink on this website was totally unresponsive. The shopping cart, user reviews, social media buttons or even the ability to go back in the category to search for other items were broken.

As a next step, the malicious actors were trying to harvest PII information such as name, phone number, and email address.

In order to further fool victims into believing the competition is legitimate, the site abused the brands of various antivirus and authentication services during the transaction to claim the iPhone 13.

In addition to claiming the credit card information and payment of €1.95, attackers were trying to achieve persistence by declaring in the fine print that this is a subscription service that requires a payment of €65.85 per month.

Below is another example from the same Russian-hosted IP that appears to use Amazon-inspired banding to support the fraudulent competition and prompt users to input payment details to claim the prize in the same way the other sites do.

Some hours after the initial discovery of these phishing websites, they were already taken down. This is an indicator that proves the very short lifespan of a phishing website in general.

What do phishing campaigns and the universe have in common?

They expand.

We saw in this campaign, the same tactics and logic used across multiple Instagram accounts and multiple domains in order to lure in and steal data from victims across the globe using the platforms and brands they trust. This is a large phishing campaign and we predict it will continue expanding as domains are reported and taken offline, new ones will quickly pop up. That is the natural life-cycle of phishing campaigns today.

Jamf Threat Labs discovered, expanded and blocked the IOCs at the network level within Jamf Protect, protecting our customers from falling victim to this campaign and any new websites it launches associated with the identified Russian-hosted IP address.

Associated network IoCs

102 unique network threats identified by Jamf’s Threat Labs OSINT for this phishing campaign.

Sample list: 13-iphone-france.fun 13-iphone-france.site 13-iphone-france.space 13-iphone-france.tech 13-iphone-france.uno 13-iphone-france.website 13-phone-poland.fun 13-phone-poland.site 13-phone-poland.space 13-phone-poland.tech 13-phone-poland.uno 13-phone-poland.website

Friends don't 'heart' scams. Jamf Protect prevents phishing threats at the network level.

Contact Jamf to protect your mobile endpoints from falling victim to this and similar attacks today.

Request Trial

Jamf Threat Labs

Jamf

Jamf Threat Labs is a global team of experienced threat researchers, cybersecurity experts and data scientists with skills that span penetration testing, network monitoring, malware research and app risk assessment. Jamf Threat Labs primarily monitors and explores emerging threats affecting Mac and mobile devices. The team’s research is published with the aim of raising awareness of specific threats while also improving awareness and advocacy of security practices to protect the modern workforce.