In June 2016, we published a blog about a phishing campaign targeting the
Apple IDs and passwords of Chinese Apple users that emerged in the
first quarter of 2016 (referred to as the “Zycode” phishing campaign).
At FireEye Labs we have an automated system designed to proactively
detect newly registered malicious domains and this system had observed
some phishing domains that were designed to appear as legitimate Apple
domains. Most of the domains reported by this system were suspended in
June 2016, which resulted in a loss of momentum for the Zycode
phishing campaign. Throughout the second quarter of 2016, the Zycode
phishing campaign was in hibernation.
We recently observed a resurgence of the same phishing campaign when
our systems detected roughly 90 phony Apple-like domains that were
registered from July 2016 to September 2016. Once again, Chinese Apple
users are being targeted for their Apple IDs and passwords using the
same content reported on in our earlier blog. The majority of these
domains are registered in the .com TLD by email accounts from
qq[.]com, and the IPs of these domains point to mainland China, as
seen in Figure 1.
Figure 1: Google map showing the location of the
hosted phishing domains
What has not Changed?
The attackers have not changed the content of the phishing sites.
being used here in this campaign. We have provided the details of
What has Changed?
Apparently the domains and email addresses used in previous version
of the campaign were effectively taken down. Now the attackers have
moved to a new malicious infrastructure; new domains, IPs and email
addresses are being used for this campaign. The new domain names for
the campaign are listed in Table 1, while their IPs and registrant
emails are reported in Table 2 and Table 3, respectively.
Table 1: Apple phishing domains serving the
Zycode phishing kit.
Table 2 shows the list of unique IPs, which are not the same as what
was seen before.
Table 2. IP addresses used by the domains.
Unique Email Addresses
The email addresses used to register these domains, showing no
similarity with email addresses in the previous campaign, are shown in
Table 3. List of unique registrant emails.
Table 4 shows the registrant names, which have no similarity with
the previous registrant name information.
Table 4. List of registrant names used by the