By: Vince Ceno, Cofense Phishing Defense Center
Apple Pay is a mobile payment and digital wallet service that allows users to make payments using their Apple devices. Digital wallets are now widely embraced, and Apple Pay is considered one of the most trusted and secure platforms. However, even the most secure systems cannot protect against user deception. Cybercriminals are also exploiting these platforms for phishing attacks. In this article, we will break down a recent phishing strategy that cleverly mimics an Apple Pay invoice to steal sensitive user data, including credit card details and their Yahoo Mail account. As illustrated in Figure 1, the victim receives a fake invoice disguised as an Apple Pay receipt, claiming they made a purchase and prompting them to open the attached invoice or PDF file.
.PNG "Figure1-(3).PNG")
Figure 1: Email Body
.PNG "Figure2-(3).PNG")
Figure 2: Preview of the Opened PDF Invoice
Figure 2 shows the contents of the attached PDF. The document is designed to alarm the recipient, urging them to take immediate action. It includes a message stating, “If you didn’t make this purchase or if you believe an unauthorized person is attempting to access your account, Click Here to cancel your purchase.” As shown above, the phrase “Click Here” is hyperlinked, encouraging users to click the potentially malicious link.
.PNG "Figure3-(3).PNG")
Figure 3: Phish Page from the Malicious Link
The webpage shown in Figure 3 appears to be a legitimate Apple ID login page. However, if you take a closer look at the URL (hxxps://sigins-appstorinvoicapplse.work.gd), it is an obvious indicator that this login page is fake, which is a classic phishing tactic. Many users focus solely on how authentic a login page appears and often overlook the URL entirely, making them a prime target for cybercriminals trying to steal credentials.
.PNG "Figure4-(3).PNG")
Figure 4: Fake OTP Request
After entering credentials on the phishing page, users are prompted to provide a one-time password (OTP) – a step that makes the phishing activity even more convincing. This mirrors Apple’s actual login process, which also requires OTP verification, further helping to create a false sense of security and making the entire process appear more authentic. By capturing both credentials and OTP, the attacker can immediately access the victim’s Apple Pay account in real time.
.PNG "Figure5-(3).PNG")
Figure 5: Asking for personal information
.PNG "Figure6-(1).PNG")
Figure 6: Asking for Credit card details and personal information
After successfully capturing the user’s Apple Pay Credentials and OTP, the phishing campaign continues further by requesting payment information. As shown in Figures 5 and 6, the fake page asks the victim to enter their credit card details under the pretense of verifying their payment method. In addition to payment data, the phish also collects personally identifiable information (PII) such as full name, billing address, postal code, and phone number – data that can be used to identify and impersonate the victim. At this point, the attackers have enough information to not only access the victim’s Apple Pay account but also commit identity theft and use the stolen credit card information for unauthorized purchases or other fraudulent activities.
.PNG "Figure7-(1).PNG")
Figure 7: Yahoo Phish Page
The attack does not end there, unfortunately. After stealing Apple Pay credentials, credit card information, and personal identifiable information, the phishing page redirects to a Yahoo login page to further attempt to exploit the victim. This page is hosted on the same malicious domain as the Apple Pay phishing page.
By tricking the victim into entering their Yahoo Mail credentials, the attacker increases their chances of accessing the victim’s email accounts, changing passwords on other platforms, and extending their control across the victim’s digital footprint.
This kind of attack is a prime example of how cybercriminals continue to evolve and refine their strategy by using realistic login flows to collect multiple layers of sensitive information. From authentic-looking login pages to OTP requests and credit card forms, each step is designed perfectly to build trust and trick victims. The Cofense Managed Phishing Detection and Response (MPDR) solution can help identify threats in real-time and bolster your company's defenses against evolving threats. This allows your organization to be more confident in its overall security posture, as one seemingly harmless email could lead to severe consequences when left unchecked. Schedule a demo with our team of experts today to learn more.