In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the “Zycode” phishing campaign). At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains and this system had observed some phishing domains that were designed to appear as legitimate Apple domains. Most of the domains reported by this system were suspended in June 2016, which resulted in a loss of momentum for the Zycode phishing campaign. Throughout the second quarter of 2016, the Zycode phishing campaign was in hibernation.
We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016. Once again, Chinese Apple users are being targeted for their Apple IDs and passwords using the same content reported on in our earlier blog. The majority of these domains are registered in the .com TLD by email accounts from qq[.]com, and the IPs of these domains point to mainland China, as seen in Figure 1.
Figure 1: Google map showing the location of the hosted phishing domains
Apparently the domains and email addresses used in previous version of the campaign were effectively taken down. Now the attackers have moved to a new malicious infrastructure; new domains, IPs and email addresses are being used for this campaign. The new domain names for the campaign are listed in Table 1, while their IPs and registrant emails are reported in Table 2 and Table 3, respectively.
Table 1: Apple phishing domains serving the Zycode phishing kit.
Table 2 shows the list of unique IPs, which are not the same as what was seen before.
Table 2. IP addresses used by the domains.
The email addresses used to register these domains, showing no similarity with email addresses in the previous campaign, are shown in Table 3.
Table 3. List of unique registrant emails.
Table 4 shows the registrant names, which have no similarity with the previous registrant name information.
Table 4. List of registrant names used by the phishing domains.