this week has detected a new phishing campaign targeting iPhone owners with a
range of scams aiming to defraud unsuspecting victims.
first. If you receive the email pictured below, steer clear! Don’t open if it’s
marked as spam. If it arrives as legitimate, don’t click on any link inside! That
includes the Unsubscribe button at the bottom. Mark it as junk and move along.
It’s your typical phishing scam, preying on the unsuspecting (likely elderly)
Now, you may
still be curious what’s behind it. Well, it’s our job to investigate spam
emails and the devious phishing scams they promote. In other words, we’ve done the
hard work, so you don’t have to find out the hard way.
take a look at the immediate signs that it’s a scam.
Suspicious email sender – The name of the email sender is Nerve Renew, yet the email address is email@example.com. The discrepancy alone should raise an eyebrow. In any case, the information in the “From” header is easily forgeable, so the address could have been anything else and still work as intended.
Invalid recipients – A telltale sign this scam went to countless other email addresses harvested by hackers in various data breaches and subsequently sold to spammers for use in spam/phishing/fraud campaigns. On the desktop version of iCloud, it says “undisclosed recipients.” On iOS, the recipient appears as [an10]@icloud.com, which means the spammers were either negligent and used one or more invalid email addresses, or it can point to a scripting error. In any case, the signs are there that something is not quite right.
Email body is a picture – You cannot copy the contents and paste it elsewhere. The sender wants to
keep us inside the email body, clicking the malicious links inside.
Renewal – If you haven’t subscribed to anything even remotely dealing with
“Neuropathy,” you have no reason to believe this email was meant for you
personally, let alone that you’re supposed to renew anything.
Miraculous “solution” – The miraculous solution is one of the most common baits in phishing
scams. Never fall for it!
Shortened URL – Analyzing the email on a desktop computer reveals another clue. Hovering the mouse pointer over the ad reveals the link behind. And it’s shortened – another sign pointing to a shady sender. This scam only works when you open the link on your iPhone, though it’s harder to test this on iOS. Basically you have to long-tap the ad and use the “copy link” option, then paste it elsewhere (like the Notes app) to see it. However, as we do this, iOS’s Email client starts to load the link in a background preview window, essentially allowing the scam to unfold. So, don’t do this! Remember, we’re doing all this so you don’t have to.
These are just some immediate clues
that point to this being a typical phishing email. Now, let’s see what’s behind
this miraculous neuropathy cure it seems to advertise.
Dating app scam
Clicking on the ad inside the email body takes us through a seemingly endless redirect loop until we finally land on what appears to be a dating app. Right off the bat, we notice we have left the realm of neuropathy.
The scammers meticulously localized their dating app to display the messages in the recipient’s language, in our case, Romanian. Although Anna’s Romanian isn’t flawless, she could pass for a native. And she seems suspiciously interested in getting together even though she knows nothing about us.
Following through with Anna’s alluring
invitation to chat yields a premium-rate phone call. If we were to fall into
the trap and call Anna, we’d likely get charged a fair amount. Steer clear!
It’s a trap! The girl in the picture is not Anna. Rather, it’s a chatbot. And
the photo was likely harvested randomly from social media.
Slot machine scam
After kindly declining Anna’s
tantalizing offer, we went back to the original email to see if it yielded the
same scam over and over. Not surprisingly, it didn’t. Preying on the diversity
of people’s tastes and guilty pleasures, the scam this time greeted us with a
The game is decently executed but immediately
gives itself away as trickery. It tries to send us off to a place where they’ll
harvest our data for potentially fraudulent activities.
This time, the Safari browser itself came to the rescue. Good job, Apple!
“Free” VPN app
Reloading the scam a third time
yields yet another interesting racket. This time we are greeted by another
language-localized swindle trying to scare us into believing we’ve been
infected with a virus. In fact, the page claims even our phone’s battery
somehow got the flu. This is, in fact, a big fat lie.
The security prompt lookalike is
enough to trick an unsuspecting user into believing this warning comes from the
iPhone’s built-in security mechanisms. However, we’re actually looking at a
rigged website inviting us to download a so-called solution to our problem.
A rough English translation of the
message goes like this:
“Multiple viruses have been detected
on your iPhone and your battery has been infected and deteriorated. If you
don’t eliminate this piece of malware now, your phone stands to incur
It then tells us the only way to fix
the problem is to download the app. How convenient! Here’s where it gets interesting.
If we naively follow through, we are taken not to a typical scam like the ones
above, but to a legitimate app in the official Apple App Store. That’s right:
an app supposedly reviewed and approved by Apple’s stringent reviewers. Tsk tsk…!
Here, we encounter a plethora of further
signs that we’re being ripped off.
While ColibriVPN seems like an
innocent virtual private network app, it’s actually a rather shady piece of
software. Upon starting, it immediately greets us with a prompt to start a free
trial that gets automatically renewed after three days, and it’s easy to make
expensive in-app purchases by mistake.
Taking a quick stroll over to the
ColibriVPN App Store page reveals that Dares LLC, the seller of the app, has
only this one app on sale. The in-app purchases are exorbitant – $61.99 for six
months of full service – and the reviews are mostly fake. Here are a couple of
With a keener pair of eyes, we can
spot a couple of negative reviews too.
Navigating over to the developer’s official page yields what looks like a dummy website with no working buttons — another clue that things are likely just set up to look legit. We can’t say for sure if Dares LLC or colibrivpn.com are in any way affiliated with the scammers. Maybe they just paid for a shady advertising avenue without knowing their “business model.” Maybe their web developer dozed off on his keyboard. We’ll give ColibriVPN the benefit of the doubt. But it has enough kinks to earn it a second look from Apple’s reviewers.
The “Unsubscribe” button
Remember the Unsubscribe button we
told you to also avoid? Turns out, the unsubscribe button takes us to a page that
asks us to enter our email address.
Ask yourself this? If the sender had
your email address to begin with, why are they asking for it again? The answer
is simple. Spam and phishing campaigns use spray-and-pray techniques, which
means the scam gets sent to millions of email addresses, including some that
are inactive. It may just be that they’re trying to validate once again that
your email address is active, so they can refresh their list and mark you as
ripe for upcoming scams. So don’t follow through with the Unsubscribe feature
Stay safe our there!
Hopefully you’ve armed yourself with enough
knowledge to help you steer clear not just of this phishing campaign, but others
like it. To be completely on the safe side, we recommend using Bitdefender Mobile Security for iOS.
The Web Protection feature, which
we’ve just added, blocks any dishonest pages targeting your personal
information such as your credit card details or Social Security number. With
the Account Privacy feature, you can find out whether your email account has
been leaked, or if your account is still private. Bitdefender will run a check
to discover if your privacy has been breached and let you know if it’s time to change
passwords. Oh, and if you are indeed interested in a powerful VPN for your
iDevice, Bitdefender Mobile Security has that built-in as well.
That it’s it from us. As always,
until next time, stay safe!
Note: Many thanks to Adrian Miron, Manager,
Content Filtering Lab (Antispam), Bitdefender, who provided the technical
information for this article.