Phony AppleCare+ Pages Hosted on GitHub Promoted via Google Ads

Malwarebytes has uncovered a malicious campaign targeting Mac and iPhone users seeking AppleCare+ support. Scammers have been using Google ads to redirect unsuspecting victims to fake AppleCare+ support pages hosted on GitHub, tricking them into calling fraudulent support lines. From there, call center agents posing as Apple representatives extract money and personal information from the victims.

AppleCare+ is Apple's extended warranty and support service for its products, offering technical support, repair services, and damage coverage. Given the company's extensive customer base and the high value of its products, scammers often target Apple users by exploiting their trust in the brand. This particular scam capitalizes on the confusion users may face when seeking technical support, and the ease of finding fraudulent ads during Google searches increases the risk.

Not AppleCare+

Malwarebytes researcher Jérôme Segura revealed that the scammers purchase Google ads, positioning them at the top of search results for terms like “Apple phone support.” Clicking these ads leads users to bogus AppleCare+ pages hosted on GitHub. These pages replicate Apple's branding, creating a sense of legitimacy and encouraging victims to call a fake 1-800 number. Once connected, victims are manipulated by scammers in call centers, often overseas, who employ social engineering tactics to convince them to hand over sensitive data or transfer large sums of money.

The fake support sites are hosted in GitHub repositories, with each repository containing fraudulent HTML templates mimicking AppleCare+ pages. The scammers have been found creating multiple accounts and repositories, which allows them to swap out phone numbers easily, bypassing detection when a number gets reported and persisting when their repositories are flagged for fraud. A piece of JavaScript code embedded in these pages, called “autoDial,” triggers the phone call dialog on users' devices, further simplifying the process of connecting victims with scammers.

Malwarebytes reported the fraudulent accounts to GitHub, which acted quickly to take them down. However, the scheme can continue by means of newly set up accounts and a fresh batch of repositories. That said, it's important for Mac users to understand that the scam's effectiveness comes from its convincing setup, combining authentic-looking pages and legitimate Google ads, making it difficult for them to recognize the deception until it's too late.

Victims often lose hundreds to thousands of dollars, with scammers sometimes gaining access to personal information like Social Security numbers and banking details. In more severe cases, the stolen data can be used for blackmail or shared with other scammers for additional fraudulent activities.

Protection from fraud

To avoid falling victim to these scams, users should:

• Avoid clicking on sponsored ads when searching for support.
• Use an ad blocker or ad-blocking browser that will prevent promoted results from displaying on Google Search.
• Visit the official Apple website directly for support.
• Be skeptical of phone numbers listed on unofficial-looking pages.
• Verify URLs and avoid sites hosted on non-Apple domains like GitHub.