Spammers have stolen US citizens' iCloud logins to spam wealthy Chinese consumers with messages about counterfeit luxury goods, according to an IT security firm.
Adaptive Mobile discovered the trend in recent months, spotting iMessage and SMS spam sent from North American phone numbers to recipients in China, pointing them to inexpensive Prada and Coach Handbags as well as other goods.
Security analyst Cary Anderson said that the vast majority of these spam messages have been sent using various models of iPhone, and in particular, by hackers using stolen iCloud account credentials to exploit the ability to send iMessages and SMS between different countries.
“This spam campaign has been ongoing for several months, but in many cases does not match the standard method of sending SMS abuse in that it is persistent, widely distributed, and the senders are, as far as we could determine, predominately iPhone users that did not exhibit prior spamming behaviour,” Adaptive Mobile said in a blog post.
Hackers carry out the attack by obtaining compromised iCloud account credentials from various sources, the firm said. The hackers then use the stolen credentials to sign onto an Apple device of their own.
The person whose iCloud account it is will receive a notification on their iPhone that a new device has been paired, but the notification itself does not have an option to stop access. The hacker then sends spam messages to recipients in China using iMessage.
iMessages that don't reach their destination are downgraded to SMS and sent again to the target in China.
Anderson said the sender is likely to be hit with sizable bills for any large scale number of SMS messages that are being sent to China.
Anderson said the solution to this problem is via customer education and improvement on iCloud security.
“In the end, defeating these scammers will take a community effort – not just from Apple, but also from telecom operators and consumers,” said Anderson.
“Operators can protect their customers from unusual spikes in international traffic, Apple can and do[es] recommend using strong passwords and Two-Factor-Authentication on [its] accounts, and consumers should learn about and own their own personal security, paying particular attention to login alerts from new devices.”
The firm recommended that Apple should look at ways to further secure iCloud accounts, saying that one potential way would be to ensure that new paired devices are vetted.
