Users of iDisk – Apple’s paid online file-hosting service bundled up in the MobileMe package – are being targeted by phishers, warns Symantec.
Its researchers have recently discovered a string of phishing pages mimicking the iDisk login page, and once the victim enter his login credentials, the page redirects him to a legitimate Apple MobileMe error page saying that the password is not valid.
In the meantime, the phishers have harvested the credentials and can now use them to access the paid accounts for free and use them to store their own data.
The phishing links were delivered to potential victims via bogus emails. To make the email more believable, the phishers used the name portion of the victims’ email address in the phishing URL and as the user ID with which they addressed the victims.
“For example, in firstname.lastname@example.org, phishers are considering ‘user001’ as the user ID. The email addresses, on the other hand, are those that have been previously harvested by spammers,” explains the researcher. “Although the user IDs retrieved in this manner may not necessarily represent an actual MobileMe user ID, phishers are simply trying their luck by targeting a large number of users.”