On 29 April 2020, IBM X-Force warned users of an AppleID typosquatting campaign specifically targeting members of the media sector. Those affected were advised to stay away from three domains, namely:

• www-appleid[.]com
• www-appleofficial[.]com
• www-appleoficial[.]com

We sought to dig deeper into these threats and find other relevant domains and IP addresses that users, regardless of industry, may need to steer clear of.

A Deeper Dive into the Domains

Our WHOIS Lookup queries revealed that www-appleid[.]com, www-appleofficial[.]com, and www-appleoficial[.]com were all 4 days old when the alert was given and belong to an individual based in Mexico. As far as we can tell from the lookup reports, the domain owner has no ties to Apple. According to the domains’ WHOIS records, he is part of an organization called “Fastunlock.”

We subjected the domains to a Domain Name System (DNS) lookup and found that they all resolved to the same IP address—142[.]44[.]210[.]150. DNS queries allow users to obtain other potential indicators of compromise (IoCs) that publicly available reports may not include.

That fact further solidifies our previous WHOIS lookup finding—all three domains belong to a single owner. We wanted to know if the IP address should be avoided, too, so we queried it on the Threat Intelligence Platform (TIP). As it turns out, users would also do well to steer clear of 142[.]44[.]210[.]150, as it has ties to malicious activity.

Other Potential Typosquatting Domains to Avoid

We are well aware of the dangers that typosquatting poses. A lot of typosquatting domains serve as homes to phishing and malware download pages that put visitors at risk of data theft or worse. Cybersecurity teams should strive to spot harmful typosquatting domains as soon as they’re registered with the help of solutions such as Typosquatting Data Feed.

In light of the campaign, we looked at our typosquatting database for other relevant domains that users should avoid accessing. We found 160 domains containing “appleid” from feeds dated 1 October 2019 to 3 April 2020. Of these, 45 domains or around 28% (e.g., appleidinformation[.]com, my-appleid[.]app, appleid-lockedmail[.]com, webapps-appleid-apple2[.]com, createappleid[.]org. etc.) had malicious ties according to TIP. A Bulk WHOIS Search query also showed that Apple owned none of the 160 domains.

Organizations that want to exert due diligence can go even further than just blocking access to the malicious domains. Subjecting them to a DNS lookup can reveal malicious IP addresses that may need to be blacklisted as well, such as 74[.]220[.]199[.]6, which appleid-manage[.]net resolves to.

Other suspicious or malicious websites may also be hosted on 74[.]220[.]199[.]6. Users can get a list of them via a reverse IP/DNS lookup. Our query revealed at least 300 sites that may be worth looking into as well.

One of the domains (i.e., jhjqgg[.]com) connected to the IP address, for instance, turned out to be malicious, too, based on a TIP analysis.

And while the majority of the domains were not cited for malicious ties, knowing that they don’t belong to Apple may be reason enough to avoid accessing them. Users can quickly determine if that’s the case via WHOIS lookups.

Most of the non-malicious domains were registered by privacy-protected individuals from countries such as Canada, the Netherlands, the U.S., Iran, Japan, and Germany. Some even went as far as redacting their country information. That is very different from the WHOIS record of the real AppleID domain (i.e., appleid[.]apple[.]com) indicates Apple Inc. as the owner, complete with the company’s postal and email address and phone numbers, as shown in this WHOIS Lookup report.

It’s also interesting to note the use of what appear to be randomly generated numbers in some of the non-malicious domains such as customer-support-appleid96210[.]com, customer-support-appleid89487[.]com, and customer-support-appleid69841[.]com. That is another significant difference from legitimate Apple domains such as that of AppleID Support—support[.]apple[.]com/apple-id.

Some non-malicious domains also included what are likely to be other brands mixed with AppleID such as in zendappleid-support2[.]com, appleid-websecuremeklor[.]com, and appleidsupportgmail[.]info.

Misspellings and grammatical errors, which no reputable company like Apple is likely to make, also appear in some of the non-malicious domains, including com-appleid-noticed[.]com (note the use of the verb in the past tense “noticed” instead of the noun “notice”), appleidsupports[.]info (singular verb form “supports” instead of the noun “support”), and safaty-appleid[.]com (“safaty” should probably be “safety”).

Other discrepancies include unnecessary letters (e.g., appleidapple-updatepaymentxxx[.]com), place names (e.g., appleidservicesjp[.]com), and missing dashes for words written separately (e.g., secure-mailservicesappleid[.]net—should ideally be structured as secure-mail-service-sappleid[.]net).

All of these are uncharacteristic of AppleID domains and should probably be treated as red flags or cause for suspicion at least. Apple device owners can stay protected from any danger both the malicious and non-malicious domains pose by refraining from accessing them or marking all emails originating from them as spam.

A proactive stance to avoiding threats is a must for organizations who want to secure their data, brands and other assets, and customers to the best of their ability. And integrating Typosquatting Data Feed monitoring into their cybersecurity strategies can help with that. The feed provides cybersecurity teams with lists of newly registered domains (NRDs) registered in bulk that often end up as part of cyberattacks.