Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

paulcons

macrumors 6502
Original poster
Apr 3, 2017
250
147
New York City
Got this e-mail today (yes I reported it to Apple). Generally when I see "myregisteredsite.com" in the headers, it is some form of scam. I always look at the headers when I get suspicious mail, this one was one example (using an image of the opened mail headers with my address/domain redacted). Best I can tell from this, it came fom inside Apple... can they REALLY now spoof this stuff? I find this really scary...

apple.phish.jpg
 
Got this e-mail today (yes I reported it to Apple). Generally when I see "myregisteredsite.com" in the headers, it is some form of scam. I always look at the headers when I get suspicious mail, this one was one example (using an image of the opened mail headers with my address/domain redacted). Best I can tell from this, it came fom inside Apple... can they REALLY now spoof this stuff? I find this really scary...

View attachment 753016
It definitely did not come from Apple. The X-authenticated-sender headers make that clear, as do the sending mail servers.
 
Yeah, they do make some pretty good attempts. My wife got an email that claimed that her Apple ID had been used to sign in to a new machine, when she did no such thing. It looked pretty convincing, but closer inspection revealed it to be fake. I happened to have just signed on to a new Mac that day, and we were able to compare the two emails. For reference, Apple does not appear to put any hyperlinks in their emails, but rather they tell you how to get to the proper page when going through their website.
 
Got this e-mail today (yes I reported it to Apple). Generally when I see "myregisteredsite.com" in the headers, it is some form of scam. I always look at the headers when I get suspicious mail, this one was one example (using an image of the opened mail headers with my address/domain redacted). Best I can tell from this, it came fom inside Apple... can they REALLY now spoof this stuff? I find this really scary...

View attachment 753016

It's always been trivial to spoof the From address. In many cases all you have to do is change your email address in your mail app.
 
Normally I can look at the sending e-mail address and quickly tell it's not legit... except in this case, that originating address ended in "@apple.com" something I have never seen before in a phish attempt (see image). Never seen a legit domain appear in so many places in full headers either. Yeah, I knew it wasn't legit, think I kinda made the topic a bit sensational to catch more folks into reading it. It is true I haven't caught a phish in a few years now, clearly they are getting a lot more sophisticated.

Screen Shot 2018-03-02 at 6.16.42 PM.jpg
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.