Threat actors are abusing Apple account-change notifications by embedding phishing text into Apple ID profile fields so fraudulent iPhone purchase alerts are sent from Appleβs own mail infrastructure and pass SPF, DKIM, and DMARC checks. Recipients are urged to call scammer phone numbers to cancel purchases, a callback tactic that can lead to remote-access installs, stolen funds, or data exfiltration. #Apple #iCloud
Keypoints
- Attackers create Apple IDs and insert phishing messages into the first and last name profile fields.
- Apple profile-change notifications include user-supplied name fields, embedding the phishing lure in legitimate emails.
- The fraudulent messages are sent from Apple infrastructure and pass SPF, DKIM, and DMARC authentication checks.
- The emails prompt victims to call a listed phone number, where scammers often request remote-access software or financial details.
- The campaign appears to use mailing lists for distribution, mirrors prior iCloud Calendar abuse, and Apple has not responded to reports.