If you're an Apple user and I spoof your phone number in a call to the legitimate Apple Customer Support line (800-275-2273), I can force Apple to send you a system level "Apple Account Confirmation" prompt to all of your signed-in devices.

BrianKrebs

This approach is commonly used by a prolific voice phishing group to convince targets they really are in a support call with an Apple representative.

Today's deep dive into this weird world was made possible in part by a series of live phishing videos, tutorials and other secrets shared by an insider that show in unprecedented detail how these voice phishing scams can be so convincing.

Please share this story widely, because I learned a ton reporting this and frankly the various methods used by these groups to dox and target people are really slick.

From the story: "Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices."

A Day in the Life of a Prolific Voice Phishing Crew – Krebs on Security

(krebsonsecurity.com)

gh0sti :pika:

@briankrebs how does this affect users who have advanced protection on for their iCloud accounts?

Joe Turner

@briankrebs Your website link doesn;t open - 403 it says

BrianKrebs

@joeturner how are you trying to access the site? Google Shield hasn't been terribly friendly to visitors from Tor recently, according to reports from other readers. But I don't have any control over that.

Joe Turner

@briankrebs I'm on ProtonVPN (Wireguard) on macOS and Firefox.

For some reason, it opens in a clean all borwser history/data deleted Safari.

Joe Turner

@briankrebs Your website has always opened before - today was surprising to me so thought I'd let you know.

Doesn't open in Brave either, FYI.

BrianKrebs

A lot people stop reading these stories when they realize that most of the targets are cryptocurrency holders. But the truth is these voice phishing techniques would be even more successful on lower-stakes, run-of-the-mill user accounts. It just so happens that phishing crypto users is way more lucrative.

jinx

@gh0sti @briankrebs They don’t have access to any iCloud e2e data unless they phish the iPhone passcode as well

BrianKrebs

@jinx @gh0sti watch the video. they got into his account just fine with his user/pass and the one-time code he provided at the fake apple website.

BrianKrebs

@joeturner I am shocked, shocked, that an ad company doesn't like VPNs. /s Will investigate. Thanks.

kurtseifried (he/him)

@briankrebs do they at least rate limit it, eg once in a while? One a day? One an hour?

hyperific

@briankrebs

One can imagine how much worse this could get if Meta gets the access to Apple data they are seeking.

Meta seeking unfettered access to iPhone user data via EU DMA interoperability requests

On its face, the EU DMA is meant to stop monopolies from abusing their market position, but Meta appears to be abusing this legislation in an attempt to gather unprecedented access to iPhone user data.

AppleInsider (appleinsider.com)

Alida Antonia

@briankrebs I’ve opted out of every possible search service that I can, including the white pages. The only calls I get are from Florida asking me if I want to sell my house.
I don’t live in Florida and I don’t own a house there.
But, this is disturbing.

Scott :clippy:

@briankrebs was showing this to my wife and she said this happened to a friend of hers who definitely has nothing to do with crypto

BrianKrebs

@scotts Is she famous or semi-famous for some reason? it seems like some of these voice phishing groups go after celebrities, in addition to bitcoin.

Scott :clippy:

@briankrebs no i believe she’s the school teacher friend