Recently, security researcher wildphishcatcher unveiled a report that provides crucial insights on the tactics employed by this threat syndicate
and the potential risks posed to individuals and organizations relying on iCloud services.
According to them, in the beginning of 2022 they had seen a significant increase in domain registrations related to Apple and iCloud phishing activities. They also observed a consistent usage of the term “iServer” in various aspects of the syndicate’s activities. This recurring pattern led us to designate this threat group as the “iServer Syndicate.” The syndicate strategically employs the term “iServer” in its promotional materials, as well as in the nomenclature of its command and control (C2) servers.
Curiosity in the minds of the security researcher of wildphishcatcher begins when they received a direct message (DM) in their inbox. The DM,
purportedly from Apple Support due to its urgent tone and the clear indication that a threat actor was masquerading as a representative from a reputable entity.
During further investigation, striking pattern has been emerged which is used by syndicate. It was observed that the syndicate consistently relied on a limited number of IP addresses to support their operations for a specific duration, typically spanning several months. This practice allowed them to maintain a level of continuity while minimizing their footprint Additionally, the syndicate adopted the use of Content Delivery Network (CDN) technology, leveraging shared services and occasionally acquiring dedicated virtual private servers (VPS) to further obfuscate their IP addresses and ensure operational security.
Furthermore, their findings revealed that the syndicate employed an extensive network of domains to serve their nefarious purposes. The sheer volume of domains utilized by the syndicate was unprecedented, indicating a deliberate effort to establish a robust infrastructure for their illicit activities.
In 2017, an insightful report published by KrebsOnSecurity shed light on a particular aspect of the syndicate we are currently investigating. The report, while significant in its own right, primarily focused on a relatively small-scale operation within the larger syndicate’s activities.
While investigating the link redirect to icloud phishing page with the url
After further investigation they have found multiple Phishing pages on same domain.
a) Middle East: The syndicate has a notable presence in the Middle East, with a focus on countries such as Saudi Arabia, United Arab Emirates, Qatar, and Kuwait. The region’s economic prosperity and high smartphone penetration make it an attractive target for iCloud-related scams.
b) Africa: The syndicate has extended its operations to various countries across Africa, including Nigeria, South Africa, Kenya, and Egypt. This expansion can be attributed to the increasing adoption of Apple products and the growing digital landscape in these regions.
c) South America: The syndicate has been actively targeting countries in South America, with a particular emphasis on Brazil, Argentina, Colombia, and Chile. The region’s large population, rapid internet penetration, and thriving online commerce create ample opportunities for the syndicate to exploit unsuspecting iCloud users.
d) Europe: While the syndicate’s operations in Europe are more limited compared to other regions, there have been reports of their activities in select countries, such as the United Kingdom, Germany, Spain, and Italy. The affluent user base and widespread use of Apple devices in these countries make them attractive targets.
The purpose of this report is to provide a comprehensive analysis that transcends individual domain incidents, allowing us to discern the patterns, tactics, and strategies employed by the syndicate. By examining the syndicate’s operations holistically, we can gain a deeper understanding of their overall impact and the potential risks they
pose to individuals and organization.