Mobile users actively spammed from compromised iCloud accounts

Spammers have been compromising North American Apple users’ iCloud accounts, and using them to send spammy text messages to mobile users in China.

Mobile users actively spammed from compromised iCloud accounts

The messages advertise counterfeit Prada and Coach handbags – nothing exceptional here – but the spam campaign is definitely unusual.

“This spam campaign has been on-going for several months, but in many cases does not match the standard method of sending SMS abuse in that it is persistent, widely distributed, and the senders are, as far as we could determine, predominately iPhone users that did not exhibit prior spamming behaviour,” researchers from AdaptiveMobile have noted. “The timing of when the messages were sent was erratic, but the recurrent nature of the pattern triggered our deeper investigation.”

The spammers are definitely trying to keep a low profile, but some of the users whose accounts have been compromised are likely to notice that something’s wrong as they get responses in Chinese, and their phone bill increases.

The spammers are using the “Send as SMS” service to send out the messages.

“The Send as SMS is a fall-back method in case the iMessages can’t be delivered through a data link. After a certain timeout period of unsuccessful attempts, the messages are converted into text messages and sent from an iPhone with this option enabled that is associated with the same account,” the researchers explained. Naturally, the victims’ mobile carriers will bill them for these text messages.

The researchers believe that the spammers are managing to compromise iCloud accounts by testing out leaked credentials from breaches or by setting up phishing campaigns. Once they enter the account, they pair a new device to it, and they are ready to send out their spam.

The iCloud account’s true owner will receive a notification on their device that another device or computer is using their Apple ID and phone number, but some obviously ignore it. In fact, the researchers have identified at least 3,200 who didn’t, and whose iPhones have been used to send over 280,000 spammy SMS messages in two months.

The right reaction to this kind of message would be to sign in into your iCloud account, change your password, and sign out any device linked to the account that you don’t recognize. It’s also a good idea to enable two-factor authentication as an added account protection layer.

Even though the scammers have a predilection for compromising Northern American users because their mobile phone numbers look very similar to those in China, they don’t limit themselves to them.

“There is strong evidence to suggest that other geographies have been infected as well as users in other parts of the world have also reported this,” the researchers noted.

This video shows how the spamming is perpetrated – the attacker uses a Mac to send the spam, the first phone simulates the receiver of the spam, and the second on the iPhone of the users whose iCloud account has been hacked.