New research indicates that the perpetrators of last year’s Sony Pictures Entertainment hack may have used fake Apple ID emails to obtain employees’ login details in order to steal sensitive information from the entertainment giant.

The hackers, later identified by the FBI as acting on behalf of North Korea, hacked Sony’s computer network in November last year. The cyber attack resulted in large-scale network outages at Sony and the hackers leaked massive amounts of sensitive communications and company information onto the Internet in the form of emails and confidential documents. All of the leaked Sony emails and documents have since been published by Wikileaks.org

The phishing emails, disguised as emails from AppleCare related to users’ Apple IDs, were uncovered by Stuart McClure, CEO of computer security firm Cylance. In an interview with POLITICO, McClure said he examine a database of Sony emails in an effort to learn how the hackers gained access. What he found was a pattern of phishing emails designed to steal passwords.

“We started to realize that there was constant email around Apple ID email verification, and it was in a number of inboxes,” he said.

According to McClure, the fake emails were near identical to official AppleCare emails instructing users to verify their Apple IDs. Users had to take action within 48 hours, stated the emails, or face being locked out of their Apple accounts.

“If you weren’t really on the ball, it looked exactly like an AppleCare type of email,” McClure added.

McClure’s data shows that Sony Pictures CEO Michael Lynton, whose leaked inbox resulted in sensitive information regarding Snapchat being exposed, received one of these phishing emails on September 19 with a link to the domain “ioscareteam.net.”

Users who clicked the link were taken to a convincing fake Apple website where, when prompted, they presumably entered their Apple ID and password, at which point the hackers had a copy.

Hackers apparently used the stolen Apple IDs in conjunction with Sony employees’ LinkedIn profiles to figure out their Sony network login details – a task that was made easier due to many people often using the same password and username across multiple personal and work accounts.

First thought to be a highly sophisticated attack, this new evidence points at a relative simple technical process that relied heavily on effective social engineering – social engineering is the backbone of successful phishing scams that dupe users into believing they are acting on a legitimate email from a service provider.

photo credit: Hook, Line, Sinker (How I fell for a phishing scam) via photopin (license)