How did someone use my Apple ID ?

2

Comments

  • surfsister
    surfsister Posts: 7,527
    I've been Money Tipped!
    Forumite
    yes I've had loads of these and I don't even use apple!!

    a tip I was told to stay secure never click on a link in an email but type into the bar at the top to go in securely.

    I also get tax ones - here is a tax scam at the moment to get bank details.
  • hubb
    hubb Posts: 2,482
    First Anniversary Name Dropper First Post Combo Breaker
    Forumite
    Here is the exact text but it does display my full name as well as email address, something all phishing emails in the past have failed to do.

    Dear **********,
    Your Apple ID (*******@gmail.com) was used to sign in to iMessage on an iPod named “ossex's iPhone”.
    Date and Time: 14 June 2017, 8:59 AM PDT
    Operating System: iOS 6.1.6
    If the information above looks familiar, you can disregard this email.
    If you have not recently signed in to an iPod with your Apple ID and believe someone may have accessed your account, go to Apple ID (https://appleid.apple.com) and change your password as soon as possible.
    Sincerely,
    Apple Support


    Apple ID | Support | Privacy Policy
    Copyright © 2017 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. All rights reserved.
  • angryparcel
    angryparcel Posts: 926 Forumite
    hubb wrote: »
    Here is the exact text but it does display my full name as well as email address, something all phishing emails in the past have failed to do.

    Dear **********,
    Your Apple ID (*******@gmail.com) was used to sign in to iMessage on an iPod named “ossex's iPhone”.
    Date and Time: 14 June 2017, 8:59 AM PDT
    Operating System: iOS 6.1.6
    If the information above looks familiar, you can disregard this email.
    If you have not recently signed in to an iPod with your Apple ID and believe someone may have accessed your account, go to Apple ID (https://appleid.apple.com) and change your password as soon as possible.
    Sincerely,
    Apple Support


    Apple ID | Support | Privacy Policy
    Copyright © 2017 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. All rights reserved.
    that means nothing and will look genuine, what you need is the email header information that will show the original senders IP

    This is what a header will look like. this is one i got from a spammer based in china
    From - Mon Jun 12 16:48:27 2017
    X-Account-Key: account3
    X-UIDL: UID5085-1393420719
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <neha@blackyun.net>
    Delivered-To: ****@****-*****.co.uk
    Received: from *****.******.info
    by *****.******.info(Dovecot) with LMTP id Mj8cG5C3PlnfKwAAS9ey6w
    for <****@****-*****.co.uk>; Mon, 12 Jun 2017 16:47:28 +0100
    Return-path: <neha@blackyun.net>
    Envelope-to: ****@****-*****.co.uk
    Delivery-date: Mon, 12 Jun 2017 16:47:28 +0100
    Received: from mx026.blackyun.net ([59.110.20.214]:35138)
    by *****.******.info with esmtp (Exim 4.89)
    (envelope-from <neha@blackyun.net>)
    id 1dKRYg-0002rd-NW
    for ****@****-*****.co.uk; Mon, 12 Jun 2017 16:47:28 +0100
    Received: from mx026.blackyun.net (localhost [127.0.0.1])
    by mx026.blackyun.net (Postfix) with ESMTPA id 45E5518B9A4
    for <****@****-*****.co.uk>; Mon, 12 Jun 2017 23:08:45 +0800 (CST)
    To: ****@****-*****.co.uk
    Message-ID: <4ea11cb52ad52348b85ab1b1241b9e54@mx026.blackyun.net>
    Date: Mon, 12 Jun 2017 22:58:05 +0800
    From: "Selina" <toys1258@126.com>
    Reply-To: toys1258@126.com
    MIME-Version: 1.0
    X-Mailer-LID: 1279
    List-Unsubscribe: <http://mx026.blackyun.net/unsubscribe.php?M=21449726&C=694fa3b26e5020c56ec0c41ce4fdcb11&L=1279&N=1258&gt;
    X-Mailer-RecptId: 21449726
    X-Mailer-SID: 1258
    X-Mailer-Sent-By: 13
    Content-Type: multipart/mixed; charset="UTF-8"; boundary="b1_2ab86b6110e8255bdd6367a5a8106562"
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    X-Spam-Status: Yes, score=13.7
    X-Spam-Score: 137
    X-Spam-Bar: +++++++++++++
    X-Spam-Report: Spam detection software, running on the system "greywood.serverrackone.info",
    has identified this incoming email as possible spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.

    Content preview: Re: Factory direct Wholesale HAND SPINNER and FIDGET CUBE
    My Dear Friend , This is Selina from China,I know that you are in field of
    TOYS,I'd like to recommend you our product. [...]

    Content analysis details: (13.7 points, 3.0 required)

    pts rule name description
    ----

    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [URIs: blackyun.net]
    2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
    [59.110.20.214 listed in psbl.surriel.com]
    1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
    [URIs: blackyun.net]
    0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
    (toys1258[at]126.com)
    -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
    domain
    0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
    (toys1258[at]126.com)
    0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
    domains are different
    -0.0 SPF_PASS SPF: sender matches SPF record
    4.2 BAYES_80 BODY: Bayes spam probability is 80 to 95%
    [score: 0.8399]
    1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
    above 50%
    [cf: 100]
    0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
    [cf: 100]
    1.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
    freemail headers are different
    1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
    freemails
    X-Spam-Flag: YES
    Subject: ***SPAM*** Re:re:Re(2):your order of Hand Spinner

    --b1_2ab86b6110e8255bdd6367a5a8106562
    Content-Type: multipart/alternative;
    boundary="b3_2ab86b6110e8255bdd6367a5a8106562"

    --b3_2ab86b6110e8255bdd6367a5a8106562
    Content-Type: text/plain; format=flowed; charset="UTF-8"
    Content-Transfer-Encoding: 8bit
  • hubb
    hubb Posts: 2,482
    First Anniversary Name Dropper First Post Combo Breaker
    Forumite
    I'm sorry but I don't know how to find this info. Windows live mail is not showing it.
  • donnac2558
    donnac2558 Posts: 3,610
    First Anniversary Name Dropper First Post
    Forumite
    Netflix phishing scams now doing the rounds as well. Loads of Amazon cancelling your order ones too.

    I have had the Apple one as well and don't even own an Apple. Just deleted without opening.
  • angryparcel
    angryparcel Posts: 926 Forumite
    hubb wrote: »
    I'm sorry but I don't know how to find this info. Windows live mail is not showing it.
    To view all an email message's headers in Windows Live Mail, Windows Mail or Outlook Express:

    1) Highlight the message in the Windows Live Mail, Windows Mail or Outlook Express message list.
    2) Click on the message with the right mouse button.
    3) Select Properties from the context menu.
    4) Switch to the Details tab.
  • Ant555
    Ant555 Posts: 1,566
    First Anniversary Photogenic First Post Name Dropper
    Forumite
    You have changed your password which was very wise.

    If you log in now then do you see this 'suspect' ipod listed in your devices?

    If not then it was almost certainly was a phishing email, if it IS there then someone knows your previous Apple credentials.

    By The way if you log in to iCloud and can see the suspect ipod then you should be able to wipe/erase/put in lost mode remotely.
  • Ant555
    Ant555 Posts: 1,566
    First Anniversary Photogenic First Post Name Dropper
    Forumite
    edited 16 June 2017 at 11:39AM
    PS - if you go to this web site and enter your email address it will check it against the millions of email addresses that have been hacked and shared online due to companies being compromised. If your mail address was stolen in one of the many data breaches then they might have also got your real name or even addresses etc and that is how the 'bad people' can construct an email that looks real.

    https://haveibeenpwned.com/

    Note that the Exploit.in 'leak' is a body of work where someone on the bad side of the fence has spent time and effort to join together all the other data breaches and is offering for sale a list of up to 800 million email/password combos that have been stolen in all the other breaches put together!

    Hope this helps.
  • hubb
    hubb Posts: 2,482
    First Anniversary Name Dropper First Post Combo Breaker
    Forumite
    edited 16 June 2017 at 11:51AM
    Good news — no pwnage found!


    Here is the header.

    Received: by 10.74.172.199 with SMTP id c7csp379347oon;
    Wed, 14 Jun 2017 09:00:16 -0700 (PDT)
    X-Received: by 10.84.218.141 with SMTP id r13mr816975pli.67.1497456015967;
    Wed, 14 Jun 2017 09:00:15 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1497456015; cv=none;
    d=google.com; s=arc-20160816;
    b=M/tFXAeeJB+g+TiKcKx6W+SQFUViuC84SdAzZbL/vCct2Ys7r9BOpLjVF0H2+B6dSK
    GJ7OTvI4oI2zxvxcEvMughIs3FCwxGmkZMjEqtYx1L7ffwUfSM16gH2bdv1vOXkaaxVw
    nL02CsFfHd4ME8xFQ7kGfHGUyfxjEuq7pUE+vBiAFd0BzooqCTskMX0/n1VgN9m/Rf5l
    kozbU0gvfCz2YJuMZqBeIekcewtlU9CAP9cOgNW2Yck7lMF+OuIlrJHudCodqHexbIJD
    6HTDiPLgqHRhq8WEhUC/zaW9ACJN2uy2Ga61uL3DQtqAsNZAOTnNp0my1tLBl5mRVtaj
    +GaQ==
  • hubb
    hubb Posts: 2,482
    First Anniversary Name Dropper First Post Combo Breaker
    Forumite
    It came through on my gmail account which I retrieved on my ipad. My Gmail account is also hooked up to windows live.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 342.5K Banking & Borrowing
  • 249.9K Reduce Debt & Boost Income
  • 449.4K Spending & Discounts
  • 234.6K Work, Benefits & Business
  • 607.1K Mortgages, Homes & Bills
  • 172.8K Life & Family
  • 247.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.8K Discuss & Feedback
  • 15.1K Coronavirus Support Boards