Apple won't call to ask you to tell them a code you get on your iPhone

Posted:
in iPhone edited September 4
A tech YouTube personality was recently the target of an attempted phishing attack, recounting on Twitter how a phone caller impersonated Apple to try and gain access to his iCloud account.




Like many other big companies, Apple's services has become a target for con artists and scammers, who try numerous ways to gain control of user accounts. In one retelling of an attack that took place on Saturday evening, a YouTube personality offers how a phone call attempting a scam took place.

Called at 7:13pm on Saturday, John Rettinger of The Apple Circle received multiple alerts on their phone about two-factor authentication, according to a video posted to Twitter. Rettinger didn't make the request as it was someone else trying to get into his iCloud account, so he declined the code request prompts, and changed his password via his iPhone.

Rettinger then received a phone call, spoofed to make it look like it was coming from Apple itself. The caller, claiming to represent Apple, mentioned they noticed fraud on the account, two attempted password resets, followed by a password reset, and that they were calling to make sure he "was okay."

After stating the attempts stemmed from Vancouver, Canada when Rettinger was in California, the caller then said they wanted to enroll him into "advanced protection," described as a "freeze" on resets on the account "to make sure that you're safe."

The caller then said they would need Rettinger to read out a one-time code to them, a request that was a major red flag for the tech personality. "Never read a code to anybody over the phone," warns Rettinger.

While not mentioned, the "one-time code" was probably the two-factor authentication code prompt that kept appearing on the iPhone.

This just happened. Attempted iCloud hack. Be vigilante. @Apple pic.twitter.com/qtXABIL9vq

-- Jon Rettinger (@Jon4Lakers)


After telling the caller he didn't feel comfortable reading a one-time code over to a supposed Apple employee and asking if there was another way to do it, the caller then hung up.

Rettinger concludes the video by describing the scam attempt as "pretty advanced," warning his followers to be on the look out for it. He ends the video with a request asking "Apple, if you're watching, fix this?"

Apple offers support for many different scams and phishing attempts on its website, including covering calls. Warning that caller ID usually shows a spoofed phone number for Apple, the scams tend to claim there's suspicious activity on an account or device, and could use flattery, incentives, and threats to secure account credentials.

Apple warns users that, if they receive an unsolicited or suspicious phone call from someone claiming to be Apple or Apple Support, to "just hang up." Users in the United States are also advised to report the scam calls to the FTC, or to their local law enforcement agency.

Owners of iPhones may also want to investigate the various ways spam calls and texts can be minimized or blocked automatically, as a way to cut the chances of being caught up in the fraudulent calls.

Read on AppleInsider
dewme

Comments

  • Reply 1 of 15
    dewmedewme Posts: 4,543member
    This guy is a pretty cool customer. I think a small number of less savvy iCloud users would have succumbed to this attack. This is yet another reminder to be wary of taking any action on any security related solicitations of any kind that you did not initiate, regardless of who the solicitation is coming from or the subject matter, e.g., online services, financial relationships, personal accounts of any sort, etc.

    It’s getting harder every day trying to deal with this stuff. Relaying stories related to any new attack strategies that are in the wild here on AppleInsider is very useful for your readers. It won’t end anytime soon, but thanks anyway.
    JaiOh81Anilu_777chiawatto_cobraFileMakerFeller
  • Reply 2 of 15
    fred1fred1 Posts: 1,010member
    I’m very glad to know about this.  Here in Europe I’ve been deluged by callers who say they’re from Microsoft and want access to my computer. It seems like an obvious scam, but a friend fell for it, gave them access, and they drained his bank account of thousands of euros. 
    edited September 4 chiawatto_cobra
  • Reply 3 of 15
    ronnronn Posts: 559member
    "Apple, if you're watching, fix this?"

    I seriously doubt Apple was watching. And what exactly can Apple do? Isn't the spoofing done via the carrier network?

    An elderly couple that I assist constantly get alerts from "Amazon." The simplest solution is hanging up and calling Amazon (or whomever the scammer is claiming to be calling from) to verify any "suspicious activity under your 
    account." And just use common sense.

    I've gotten texts from CitiBank about suspicious activity with my account. Which is hilarious as I closed by CitiBank accounts nearly 30 years ago and haven't looked back. Again, use common sense folks. Abort & Report.
    watto_cobraFileMakerFeller
  • Reply 4 of 15
    People, even old people, are generally reluctant to give information to anyone who arrives at their door. But I wonder why they are far less reluctant to give out information when contacted via computer or phone.

    We have public service announcements to stop people from lighting fires outdoors. Maybe we need public service announcements telling people not to respond to calls, text or emails. Any benefactor out there want to help? I hear Bill Gates like to provide support for public education.
    appleinsideruserwatto_cobra
  • Reply 5 of 15
    Are used to get Robocalls like that but they now seem to have thinned out. Probably no phone numbers to spoof.
    watto_cobra
  • Reply 6 of 15
    davidwdavidw Posts: 1,686member
    That was not a "phishing" scam. With most, if not all, the phishing scammers do not know the log-in and the password to an account and is trying to get both. But with this one, not only did the scammer know the log-in to the account, but the phone number to where Apple sent the two-factor authentication code, when trying to log-in from an unknown device.  And in order to get Apple to send the code, the scammer must have known the password. With two-factor authentication, one must enter the correct password, before Apple will send a code to a trusted device, for log in verification. Without entering the correct password to the account, Apple might only send a warning of the attempts to log in. Apple send the code to verify that's it's you, that is logging in from an unknown device. This scammer was trying to hack into this guy account and already knew his log-in, password and verified phone number to the account. Not "phishing" for accounts to hack into by getting people they randomly call, to reveal their log-in and password.

    Plus, if his guy changed his password as soon as he received the first set of two-factor authentication codes, then there's no way for the scammer to get Apple to send another code, without knowing the new password. Plus the code times out. And how did the scammer know the password to the account was reset, without knowing the login and original password? 

    If you use "forgot password", then with two-factor authentication, Apple tells you to use one of your other trusted device to change the password to your Apple ID. It does not involve sending a code where the password can be changed on the device one is trying to log in from. Or answer the security questions from that device. And then you would still need to get a code to log in with a new password, if it's not a trusted device. That involves more than "phishing".   
    appleinsiderusermwhitechiamuthuk_vanalingamAndy.Hardwakemacguiwatto_cobraFileMakerFeller
  • Reply 7 of 15
    As @Davidw says, this guy’s story has holes in it. As @22july2013 says, people wouldn’t give strangers key info in the real world. 
    "Apple, if you're watching", please stop gullible people from creating Apple IDs. 
    watto_cobrakillroy
  • Reply 8 of 15
    I think one very important thing wanted comes to the spam calls is listening to the type of person that is calling.  I get spam calls all the time and whenever they call me they sound like they are coming from India.  That seems very strange with somebody from there would contact me so I usually just congratulate them on 75 years of freedom from The British empire  and hang up the phone call.
    watto_cobrakillroyFileMakerFeller
  • Reply 9 of 15
    ClassicGeekClassicGeek Posts: 24unconfirmed, member
    As I work for Apple let me point out one small thing. There are a very few legitimate times you need to provide an AppleCare advisor a code sent via sms or gotten from logging into appleid.apple.com - but the key to knowing it is safe is that you have called Apple Support for help or via the website or support app asked Apple to call you.  

    Please share https://support.apple.com/en-us/HT204759 with your circle to educate all. 
    dewmeronnAndy.HardwakeMBearwatto_cobrakillroyFileMakerFeller
  • Reply 10 of 15
    sflocalsflocal Posts: 6,007member
    It's inexcusable in today's world where some scammer can spoof a number.  It should be made impossible to spoof numbers.  Period.  If it's coming from some VOIP network, it should be identified as such.  I'd like to think there is a profit-motive involved as to why the telcos aren't doing more, but I think it's just sheer laziness and the only way it will get fixed is for the government to drop the hammer on their heads with major fines if they don't clean up their acts.

    That being said, I get scam calls all the time and for what its worth, in his position I would have just had fun with the scammer and give out bogus 2FA codes.

    I'm curious if the Apple-impersonator had that familiar accent that is usually common with scam calls.  Those are usually a huge red-flag for me the moment they open their mouth.
    MBearwatto_cobrakillroy
  • Reply 11 of 15
    Would be nice with a built-in spam phone number list. The apps that I've found in the AppStore are unreliable at best.
    watto_cobrakillroy
  • Reply 12 of 15
    macguimacgui Posts: 2,242member
    As @Davidw says, this guy’s story has holes in it. 
    That's not what Davidw said. He said it's not a phishing scam. He didn't say if it was a hoax, YT stunt, or a very sophisticated attack. But it's clear this wasn't a typical phasing scam. Maybe David could elaborate.

    sflocal said:
    It's inexcusable in today's world where some scammer can spoof a number.  It should be made impossible to spoof numbers.  Period.  If it's coming from some VOIP network, it should be identified as such.  I'd like to think there is a profit-motive involved as to why the telcos aren't doing more, but I think it's just sheer laziness and the only way it will get fixed is for the government to drop the hammer on their heads with major fines if they don't clean up their acts.
    I don't think it's matter of laziness at all. I think it is a matter of profit, in the cost of man-hours needed to fix the problem, and that effects profit. I don't know that it's just a matter of whipping up a few lines of code and Bob's your uncle.

    If that were the case, imspampossible calls would be a huge marketing bullet for a telco. Sign up with us and never get a spoofed call again. A secondary effect might even spur the less savvy to learn a bit about spam calls. Or not. 

    But if the Government doesn't require it, it won't happen. And they won't require it. That's sheer laziness, and/or a powerful TelCo lobby. Look at the "teeth" in the Do Not Call register and how effective that's been. The department from which I retired still gets spam from their networked copier.

    killroy said:
    Are used to get Robocalls like that but they now seem to have thinned out. Probably no phone numbers to spoof.
    I still get a lot of Robo and human spam calls on my landline and they're been steadily increasing on my cellphone as well. Business must be good.

    Leifur said:
    Would be nice with a built-in spam phone number list. The apps that I've found in the AppStore are unreliable at best.
    That's not even a stop gap. With the ability to spoof numbers, any list would be out of date in a matter of minutes. Out of all my cellphone spam calls, maybe 1 in 12 is flagged as Spam Risk. Maybe fewer than that. 

    Eliminating spoofing and telcos dumping spoofed calls before we ever see them is about the only significant step that will stem the flow. Even then vigorous law enforcement, when that's even possible, will still be needed.
    watto_cobrakillroy
  • Reply 13 of 15
    macgui said:
    As @Davidw says, this guy’s story has holes in it. 
    That's not what Davidw said. He said it's not a phishing scam. He didn't say if it was a hoax, YT stunt, or a very sophisticated attack. But it's clear this wasn't a typical phasing scam. Maybe David could elaborate.
    Yes, the holes were in the description of some of the sequences of events. e.g. if you've just changed your password, you can't get 2FA requests.

    The issue with spoofing is intrinsic in the insecure SS7 signalling protocol — developed when there were just a few trusted global telcos; these days its a free-for-all.
    watto_cobraFileMakerFeller
  • Reply 14 of 15
    sflocal said:
    That being said, I get scam calls all the time and for what its worth, in his position I would have just had fun with the scammer and give out bogus 2FA codes.
    "Yes, my code is I-D-1-0-T... oh, they don't normally have letters in them? Huh."
  • Reply 15 of 15
    davidwdavidw Posts: 1,686member
    macgui said:
    As @Davidw says, this guy’s story has holes in it. 
    That's not what Davidw said. He said it's not a phishing scam. He didn't say if it was a hoax, YT stunt, or a very sophisticated attack. But it's clear this wasn't a typical phasing scam. Maybe David could elaborate.
    Yes, the holes were in the description of some of the sequences of events. e.g. if you've just changed your password, you can't get 2FA requests.

    The issue with spoofing is intrinsic in the insecure SS7 signalling protocol — developed when there were just a few trusted global telcos; these days its a free-for-all.

    I think the problem is that the person claiming to be part of a "phishing" attempt is just doing a very poor job of describing what actually happened during the scam attempt, for a "tech personality".

    There are two main scams involving Apple ID and receiving verification codes for a password reset.

    The first one is with email. The scammer uses an email address as an Apple ID and go to the Apple "forgot password" website and request a reset. Apple will send a real verification code to the phone number listed for that account. The scammers do not have access to this phone number. But they will follow up with an official looking email from Apple to the account holders about attempts to reset their passwords and they must immediately change their password. And there's a link to an official looking Apple site where one can enter their log in name, original password and new password. The fact that Apple sent a real message with a verification code for a password reset to the account holders phone, makes the email seem more real.

    The second involve a phone. A scammer will send text messages of a fake (but looks like its officially from Apple) verification codes for a password reset, to anyone and everyone. Then they will follow up with a phone call spoofing Apple Support. The scammer have no idea whether the people receiving the fake text messages even have an Apple ID. But they are hoping that those that do, might mistaken the fake text messages for real ones from Apple and think they are actually receiving a call from Apple Support. Then "Apple Support" will suggest that they change their password immediately and help walk them through the steps. Along the way, they get hold of the account login name, password and the verification code sent to their phones, to change the password. Once the scammer change the password, the account holder is helpless long enough for the scammer to drain any accounts tied to that Apple ID.  

    None of these involve the scammers knowing beforehand, the passwords or verified phone numbers to any of the Apple ID accounts. The phone scam don't even have to know the login name for an Apple ID account. 

    What I think happened is that this "tech personality" in the article, received text messages with fake verification codes for a password reset. But he thought they were real 2FA codes from Apple pertaining to attempts to log in to his account on an unknown device. (in which case some one unknown to him, must know his account login and password.) And if the caller (scammer) asked him to read out the verification code on the phone (which finally raised the red flag for him), he must had fell for the Apple Support spoof long enough to help the scammer to go through the password reset process for him, to the point of Apple sending a real verification code to his phone. Otherwise he would not have known about the part where the scammer would need for him to read the new verification code Apple sent to his phone. The earlier fake ones are useless to the scammers.   
    ken burns effect
Sign In or Register to comment.