Fake AppleCare+ (Scam) – Malware

Overview

In September 2024, a new wave of scams has emerged, targeting unsuspecting Mac users seeking support or extended warranties through AppleCare+. Scammers have found a way to exploit Google ads, using them to mislead users into visiting fraudulent websites that mimic Apple’s official customer service pages. The attack strategy revolves around redirecting users to fake AppleCare+ service portals hosted on GitHub repositories. This clever tactic preys on individuals looking for assistance with their Apple products, with the end goal of manipulating them into calling fraudulent support numbers. Once connected with these call centers, victims are subjected to social engineering techniques designed to steal money and sensitive personal information.

The success of this campaign lies in its ability to blend into legitimate online support searches. Users, while searching for Apple support via Google, often encounter sponsored ads at the top of the search results page. These ads, which appear next to or even before Apple’s official contact information, lead users to phishing pages that look almost identical to Apple’s official service sites. The pages prompt victims to call a fake 1-800 number, where they are then connected to scammers posing as Apple support agents. The attack takes advantage of trust in online search engines and well-established brands, making it particularly dangerous for less tech-savvy users.

Targets

Individuals

How they operate

The Fake AppleCare+ scam is a well-crafted phishing campaign that exploits search engine advertisements and platforms like GitHub to deceive Mac users into contacting fraudsters posing as Apple customer service representatives. By leveraging Google ads, scammers target users who are searching for legitimate AppleCare+ support or warranty services, often placing their malicious ads directly above the real contact information for Apple. This positioning takes advantage of user trust in search results, making the scam difficult for average consumers to detect.

Once a user clicks on one of these malicious ads, they are redirected to a fake AppleCare+ customer support page, hosted on GitHub repositories. These repositories are legitimate accounts on the Microsoft-owned platform, where scammers upload HTML files that closely resemble the official Apple support website. The pages are designed with identical Apple branding, ensuring that they appear authentic at first glance. To enhance the legitimacy of the scam, the fraudulent pages feature pre-configured phone numbers and an auto-dial script that automatically opens a phone dialer when the victim interacts with the page. This minimizes the effort required to connect the victim with the scammer, streamlining the fraud process.

The fraudsters behind this campaign employ a tactic known as “GitHub repository hijacking,” in which they create multiple repositories on GitHub to host the fake AppleCare+ service pages. By using the commit history of these repositories, scammers can easily modify the content, swapping out phone numbers to avoid detection. This technique allows them to keep the operation running smoothly, as any blocked number can quickly be replaced with a new one without disrupting the ongoing campaign. This dynamic nature of the scam demonstrates a highly flexible and agile approach to maintaining control over the fraudulent websites.

Once a victim visits the fake site and potentially interacts with the auto-dial feature, they are prompted to call a 1-800 phone number, where they are connected to a scammer masquerading as an Apple support agent. The scammer then uses social engineering tactics to gain the victim’s trust, offering support services and encouraging the victim to share sensitive personal information such as social security numbers, banking details, and login credentials. The fraudster may also instruct the victim to withdraw money from their bank account and send it to the scammer or purchase gift cards as part of the “support process.”

This scam operates at a technical level by exploiting legitimate platforms—such as Google and GitHub—that users trust. The use of targeted Google ads increases the visibility of the malicious sites, while the use of GitHub to host the fraudulent pages allows scammers to stay one step ahead of security measures. The scam’s success is largely dependent on the careful execution of social engineering tactics that manipulate victims into believing they are receiving legitimate support. As such, the scam relies not only on technical sophistication but also on exploiting human trust and naiveté. For victims, the consequences can be severe, ranging from financial loss to identity theft, further demonstrating the critical need for heightened awareness and vigilance in online interactions.

References

• Scammers advertise fake AppleCare+ service via GitHub repos