Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Compromised?

paulcons

paulcons

macrumors 6502
Original poster
Apr 3, 2017
250
147
New York City
Got this e-mail today (yes I reported it to Apple). Generally when I see "myregisteredsite.com" in the headers, it is some form of scam. I always look at the headers when I get suspicious mail, this one was one example (using an image of the opened mail headers with my address/domain redacted). Best I can tell from this, it came fom inside Apple... can they REALLY now spoof this stuff? I find this really scary...

apple.phish.jpg
 
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,729
7,306
paulcons said:
Got this e-mail today (yes I reported it to Apple). Generally when I see "myregisteredsite.com" in the headers, it is some form of scam. I always look at the headers when I get suspicious mail, this one was one example (using an image of the opened mail headers with my address/domain redacted). Best I can tell from this, it came fom inside Apple... can they REALLY now spoof this stuff? I find this really scary...

View attachment 753016
Click to expand...
It definitely did not come from Apple. The X-authenticated-sender headers make that clear, as do the sending mail servers.
 
Darmok N Jalad

Darmok N Jalad

macrumors 603
Sep 26, 2017
5,432
48,464
Tanagra (not really)
Yeah, they do make some pretty good attempts. My wife got an email that claimed that her Apple ID had been used to sign in to a new machine, when she did no such thing. It looked pretty convincing, but closer inspection revealed it to be fake. I happened to have just signed on to a new Mac that day, and we were able to compare the two emails. For reference, Apple does not appear to put any hyperlinks in their emails, but rather they tell you how to get to the proper page when going through their website.
 
mw360

mw360

macrumors 68020
Aug 15, 2010
2,070
2,477
paulcons said:
Got this e-mail today (yes I reported it to Apple). Generally when I see "myregisteredsite.com" in the headers, it is some form of scam. I always look at the headers when I get suspicious mail, this one was one example (using an image of the opened mail headers with my address/domain redacted). Best I can tell from this, it came fom inside Apple... can they REALLY now spoof this stuff? I find this really scary...

View attachment 753016
Click to expand...

It's always been trivial to spoof the From address. In many cases all you have to do is change your email address in your mail app.
 
paulcons

paulcons

macrumors 6502
Original poster
Apr 3, 2017
250
147
New York City
Normally I can look at the sending e-mail address and quickly tell it's not legit... except in this case, that originating address ended in "@apple.com" something I have never seen before in a phish attempt (see image). Never seen a legit domain appear in so many places in full headers either. Yeah, I knew it wasn't legit, think I kinda made the topic a bit sensational to catch more folks into reading it. It is true I haven't caught a phish in a few years now, clearly they are getting a lot more sophisticated.

Screen Shot 2018-03-02 at 6.16.42 PM.jpg
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom