User profile for user: Sridhar Ananthanarayanan
Sridhar Ananthanarayanan Author
User level: Level 1
83 points

Have I been 'phished'?

Hello community!


I received this email:


Dеar customеr,

Your Аpplе ID was usеd to opеn an iCloud sеssion from an unauthorizеd dеvicе and is now automatically blockеd.

Wе'vе addеd a dеvicе vеrification procеss to еnsurе your account stays safе. That's why wе ask you to authеnticatе yoursеlf еvеry timе you want to log in from an unrеcognizеd dеvicе.

Somе sеrvicеs arе tеmporarily disablеd until your dеtails havе bееn vеrifiеd.

Click HERE to vеrify your informаtion.

Plеаsе notе thаt this is аn аutomаticаlly gеnеrаtеd еmаil from Аpplе Support. You cаnnot rеspond to this by е-mаil.

Аpplе Support



The email was in my Junk folder. I checked the sender and it was support@icloud.com. I thought the mailbox incorrectly classified it as junk, so I moved the email to the Inbox. I then clicked on the link that was provided which redirected me to https://www.icloud.com. But the link itself is this:


"http://www.icloud.id.vhk.nsac.pw/click?" followed by a huge alphanumeric string of numbers and alphabets, with my iCloud email address somewhere in between (I have removed the long string for privacy).


I noticed it is an unsecure link (there is no 's' after http), but unfortunately only after I logged in with my password.


I didn't receive any 2FA prompt on my devices when the login attempt was recorded.


  1. Is this a genuine email from Apple?
  2. If yes, why was it in my junk folder?
  3. Is the unsecure link above actually from Apple?
  4. I don't see any device other than my phone and laptop that are currently logged in to my account.
  5. How do I see the login history?
  6. What do I need to do apart from changing my password?


Thanks.



MacBook Pro (2017 – 2020)

Posted on Jan 12, 2024 9:19 PM

Reply

Similar questions

7 replies
User profile for user: DL8888
DL8888
User level: Level 1
14 points

Jan 13, 2024 1:52 AM in response to Sridhar Ananthanarayanan

I want to be clear: You were not phished, you are going to be phished now if you click on this email.

To reply you questions:


1) NO, it's a scam

2) as above

3) Apple wouldn't send you a link without "s", neither from a domain .icloud . id . vhk . nsac . pw

4) no one logged in yet, unless you click on the link and enter your user/psw

5) not from that link

6) first of all, move back that email into the SPAM folder. Then if you change your PSW it would be a wise action


NOTE: I am not apple. I am just a user like you. FYI

Reply
User profile for user: Sridhar Ananthanarayanan
Sridhar Ananthanarayanan Author
User level: Level 1
83 points

Jan 13, 2024 4:09 AM in response to Sridhar Ananthanarayanan

@DL8888

@stedman1


Yes, I have confirmed it is indeed a scam. And it is interesting.


Check out the sender's address:


If I copy this address (support@icloud.com) using the Copy Address option and paste in a browser address bar, I get icioud.com (Left tab):




But if I type support@icloud.com, then I get icloud.com (Right tab):




The sender pulled a good one on me.


My question now:


When I clicked on the link that was sent to me, it indeed redirects me to the correct icloud.com website (you can test it out by clicking that link in OP).


  1. What was the sender trying to do here?
  2. What did he get from me?


As far as I understood, the password I keyed in was in the actual Apple website only, which I guess isn't hacked. So I hope my password wasn't stolen either.


More importantly, it asks for my Mac password, and NOT my iCloud password. What can anyone do with it as long as my Mac is with me?

Reply
User profile for user: Sridhar Ananthanarayanan
Sridhar Ananthanarayanan Author
User level: Level 1
83 points

Jan 13, 2024 5:45 AM in response to DL8888

DL8888 wrote:

It's called Email Spoofing when you receive an email from a certain address but it's actually sent from someone else trying to imporsonate a third person.

I don't mean switching "i" into "I" (capital letter) pretending to be "L".
With Email Spoofing they send an email that looks 100% from the address spoofed.

I don't think that's what has happened in this case. I forwarded this email to my Gmail account, and see how the sender shows up:



While I agree on the spoofing possibility, it was something else in this case. They only fooled Apple Mail (only in some sense, because Apple Mail had actually put it in the Junk folder, which is a good thing), but couldn't fool Google.


And here is the most interesting part:


This email was sent to an 'alias' that I have not used anywhere!


How did they get my email ID?

Reply
User profile for user: DL8888
DL8888
User level: Level 1
14 points

Jan 13, 2024 4:35 AM in response to Sridhar Ananthanarayanan

It's called Email Spoofing when you receive an email from a certain address but it's actually sent from someone else trying to imporsonate a third person.


I don't mean switching "i" into "I" (capital letter) pretending to be "L".

With Email Spoofing they send an email that looks 100% from the address spoofed.


It works also with phone numbers.

You receive a phone call from +x xxx xxxxxxx but actyally that phone number never called you.

They just impersonated that user.

Technology is improoving and providers tend to block these kind of functions but they are still out there.


In your email you mentioned there was a sentence saying:

"Click HERE to vеrify your informаtion."

and that HERE was a ling to a ....id.vhk.nsac... website.

Clicking on that website (which I don't recommend especially if you use Chrome) you probably find a place to enter any sort of private data (mail, psw or other sensitive data).


That's it



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Have I been 'phished'?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up