Apple Account Smishing Campaign Uses Lookalike Domains in Korea
ESTsecurity’s Alyac blog warned of a smishing campaign using Apple-themed text messages that claimed an Apple ID had been accessed from another location or showed suspicious account activity. The messages were marked as international-origin texts and directed recipients to fraudulent lookalike domains including ap****-kr.com and app****.cc, attempting to lure victims into credential theft through fake Apple login pages.
Alyac said the alerts were compiled from user-submitted reports through the AlyacM app as part of its weekly smishing roundup. In the same reporting period, the company also highlighted a separate lure impersonating Danal, threatening court appearance over alleged long-term unpaid debt and referencing a payment amount and bank account details, underscoring continued use of both financial-pressure and brand-impersonation tactics in Korean mobile phishing campaigns.
Timeline
Feb 6, 2026
Alyac publishes first-week February smishing alert
ESTsecurity's Alyac blog published a smishing alert for the first week of February 2026 based on AlyacM user reports, featuring Danal debt-collection and Apple account-security impersonation lures as notable examples.
Feb 6, 2026
Alyac identifies Danal debt-themed smishing lure in weekly roundup
In its next weekly roundup, Alyac highlighted a smishing message impersonating Danal that threatened court appearance over long-term unpaid debt and referenced a bank account for payment. The same roundup also reiterated Apple-themed account-alert lures collected from user reports.
Jan 30, 2026
Alyac publishes weekly alert on Apple smishing campaign
ESTsecurity's Alyac blog published a weekly smishing alert summarizing Apple-themed phishing texts reported through the AlyacM app, describing the lure variants and malicious domains involved.
Jan 30, 2026
Apple-themed smishing texts reported to AlyacM users
During Alyac's reporting period ending around late January 2026, users reported smishing messages impersonating Apple and claiming suspicious account activity or logins from another location. The messages used lookalike domains such as ap****-kr.com and app****.cc to lure recipients to fraudulent sites.
Jan 16, 2026
Alyac reports police fine-themed smishing texts
During Alyac's reporting period from 2026-01-10 to 2026-01-16, users reported smishing messages impersonating the Korean National Police Agency's civil complaint service, claiming a traffic fine notice or bill had been issued or delivered. The messages directed recipients to suspicious domains including poa.***g[.]my, moa.n***.my, and yoa.***n.mobi.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Consumer Brand Impersonation Phishing and Tech-Support Scams Targeting Apple and Avast Users
Multiple **brand-impersonation phishing** campaigns are targeting consumers by abusing trust in *Avast* and *Apple* to drive victims into disclosing payment or account details. One campaign uses a near-identical fake *Avast* portal aimed at French-speaking users, presenting a fabricated **€499.99** “subscription charge” and a short cancellation window to induce urgency; the site validates entered card numbers using the **Luhn algorithm** and uses a **Tawk.to** live-chat widget (ID `689773de2f0f7c192611b3bf`) to pressure victims in real time into submitting full card details (including CVV) under the pretense of processing a refund. Separate *Apple*-themed scams use **phishing-to-phone** and **SMS** lures to route victims to scam call centers and harvest credentials and financial information. One email purporting to be from an “**Apple Fraud Prevention**” team attempts to panic recipients into calling a fake support number, while an “**Apple Security Alert**” Apple Pay text claims a suspicious **$143.95** Apple Store transaction and urges an immediate call to a `+1 850-85*` number to “cancel” the charge. Another tactic abuses iOS Calendar subscriptions (“**iPhone Calendar Scam**”) to flood devices with fake security/prize alerts that push users to click malicious links; guidance emphasizes unsubscribing from the rogue calendar and avoiding interacting with the spam invites.
1 months ago
Consumer-Facing Phishing and Payment Scams Using Fake Support and Fraud Alerts
Multiple reports describe **social-engineering scams** that impersonate trusted brands and payment providers to drive victims into credential theft or direct monetary loss. A “crypto compensation” lure abuses a legitimate-looking *Yandex* poll as an entry point, then redirects victims to a fake Bitcoin payout page claiming an approved `0.943 BTC` transaction and imposes a small “commission”/fee to withdraw funds—classic advance-fee fraud wrapped in a polished, multi-step funnel (including a fake chat “support agent”). Separately, Japanese-language phishing emails impersonating **ANA**, **DHL**, and **myTOKYOGAS** show consistent infrastructure patterns (notably `.cn` domains in sender and landing-page URLs), suggesting a single operator or shared kit targeting Japanese-speaking recipients. Several consumer scam advisories highlight **SMS-based fraud alerts** that push targets to call attacker-controlled phone numbers, where scammers pose as “support” to steal **Apple ID/2FA codes** or payment details, or to coerce victims into moving money. One PayPal-themed case escalated to cash withdrawals handed to a courier after a victim called a number from an unsolicited text, illustrating how “fraud department” pretexts can transition from phishing to **cash-out theft**. Additional warnings cover lookalike payment sites (e.g., `payyourbill.aps medical.com`) and generic guidance on what to do after clicking a phishing link; these are broadly consistent with the same theme (phishing/payment fraud) but are not tied to a single, specific campaign or actor across all items.
Today
Apple Pay Phishing Using Fake Apple Support Calls to Steal Payment Details
A phishing campaign targeting **Apple Pay** users is using realistic-looking emails to push victims into calling a fraudulent “Apple Support” phone number, shifting the attack from link-clicking to **vishing** (voice phishing). The lure commonly claims a high-value Apple Store charge was attempted or stopped, and includes plausible details (e.g., **case ID**, timestamp, and an “appointment” to review the activity) to create urgency and legitimacy. Malwarebytes reported the operation’s objective is to extract **login/verification codes** and **payment data** during the phone interaction, enabling attackers to take over the victim’s Apple account and potentially access associated data and linked payment methods. Follow-on reporting highlighted the use of Apple branding and invoice-style formatting (including high-ticket purchase claims) to increase conversion, and emphasized the potential impact of account compromise beyond payment theft (e.g., access to stored personal data and connected services).
1 weeks ago