One evening last month, my Apple Watch, iPhone, and Mac all lit up with a message prompting me to reset my password. This came out of nowhere; I hadn’t done anything to elicit it. I even had Lockdown Mode running on all my devices. It didn’t matter. Someone was spamming Apple’s legitimate password reset flow against my account—a technique Krebs documented back in 2024. I dismissed the prompts, but the stage was set.

What made the attack impressive was the next move: The scammers actually contacted Apple Support themselves, pretending to be me, and opened a real case claiming I’d lost my phone and needed to update my number. That generated a real case ID, and triggered real Apple emails to my inbox, properly signed, from Apple’s actual servers. These were legitimate; no filter on earth could have caught them.

Then “Alexander from Apple Support” called. He was calm, knowledgeable, and careful. His first moves were solid security advice: check your account, verify nothing’s changed, consider updating your password. He was so good that I actually thanked him for being excellent at his job.

That, of course, was when he moved into the next phase of the attack.

He texted me a link to review and cancel the “pending request.” The site, audit-apple.com, was a pixel-perfect Apple replica, and displayed the exact case ID from the real emails I’d just received. There was even a fake chat transcript of the scammers’ actual conversation with Apple, presented back to me as evidence of the attack against my account. At the bottom of the page was a Sign in with Apple button that he told me to use.

I started poking at the page and noticed I could enter any case ID and get the same result. Nothing was being validated. It was all theater.

“This is really good,” I told Alexander. “This is obviously phishing. So tell me about the scam.”

Silence. *Click*.

Once I’d suspected what was happening, I’d started recording the call, so I was able to save a good chunk of it, which Jamie Marsland used to make a video about the encounter. You can hear for yourself exactly how convincing “Alexander” was.

So let my almost-disaster help you avoid your own. Remember these rules.

• Don’t approve any password-reset prompts—those are the first part of the attack. Do not pass Go, just head directly to your Apple ID settings. 
• Apple will never call you first. 
• When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.

After all, the best protection is knowing what this looks like before it happens.

Thank you to Peter Rubin and Jamie Marsland for putting this all together.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

1. Upgrade your blog to the latest WP. This shouldn’t be hard. There are plugins for it, if you’re techy use Subversion, there is the standard FTP method, and finally Media Temple, Dreamhost, and Bluehost (through SimpleScripts) all have been pretty good about having their one-click upgrade systems ready with new versions within a day or two of a release. If your host is chronically behind, vote with your wallet and switch.
   • If you need someone to help you upgrade, consider hiring help on the wp-pro mailing list. (It has close to a thousand subscribers and consultants on it.) Or you could always ply a geeky friend with caffeine, libations, food, or gadgets. Just get them to setup a system lik the above so you can do it yourself next time.
2. Change your passwords, for yourself and any other users you have on the system. If the attacker grabbed your password when you were on an old version, they can still log in after you’ve upgraded if you don’t change it. There’s a new password strength meter in 2.5 helps you pick a good password.
3. Search through your posts for any that might have been modified, and comb through the directories on your web server looking for anything out of the ordinary. Your host may be able to help you with the latter.

If you’re on the latest version, you’ve changed all your passwords, and something still happens to your blog, don’t panic. It’s not your (or WP’s) fault, but there is likely another account on the server which is malicious and the server you’re on is set up in a way that your neighbors can modify your files. The best thing to do here is to contact your host or sysadmin and have them check things out. They can look at the other accounts and log files in a forensic fashion to identify and find the source.

I follow or am involved with many, many WordPress blogs – some that receive millions of pageviews a day and have pageranks of 8 or 9 and are huge targets all the way to small personal blogs. Those that have followed the two basic tenets — keep up with upgrades and use good passwords — have never had a problem. Those that fall behind upgrades, like Al Gore did, have.

If you’re tech-savvy, take a look through your blogroll and see if anyone is on an old version. If they are, consider contacting them to help out. Like a barn raising, if we all work together it’ll happen a lot faster.

I often hear reasons why people don’t want to upgrade, here’s the most common and my best response:

• I’m scared something will break, or I don’t know how. Ask a friend to help or hire a professional on the aforementioned wp-pro list. Long-term, try to use a plugin like WPAU or a host that will do upgrades.
• One of my plugins doesn’t work with the new version. This is getting rarer as we have a very public testing cycle for plugin authors to try their stuff with the latest version, but still common. I would suggest checking for an upgrade to the plugin on the author’s site, contacting the author about the incompatibility you found, maybe even donate some money, or finally search for an alternative plugin that provides similar functionality but works with the latest and greatest version of WordPress. In the big picture, though, having a secure site is much more important than the functionality of a single plugin, so you should seriously consider turning off a plugin for a few days instead of putting off core upgrades.
• I don’t like the new version, they moved my cheese. We believe every new release is better, but sometimes people just aren’t comfortable with a change, which is fine. The good news is that we constantly improve things based on feedback, including interfaces, and that more importantly for almost everything you can imagine annoying you there is a plugin that changes it. For example in 2.5 the page is fixed-width to allow for greater readability, but there’s a plugin to make it stretch to the full width of the window.
• I modified core files, so upgrades are hard. You should never ever modify core files in WP. If you find you have to, file a ticket for a new hook or filter so your modifications can be a plugin — it makes things so much easier.
• Upgrades are too frequent. If it takes you more than 5 minutes to upgrade your blog, you’re doing it wrong. Historically we do a major release about 3 times a year, and a minor release about once a month. Minor releases almost never break anything, so they are the easiest. (And often the most important.) WordPress is fast-evolving software, so this is a good problem to have.
• I don’t know when there’s an upgrade. No excuses here. Since 2.3 we include a big honking notice at the top of your dashboard when there’s a new release available. It’s also worth subscribing to our dev blog, it’s not like it’s going to flood your RSS reader.

Of course the millions of blogs on WordPress.com never worry about any of this, nor do the folks on good hosts that have one-click upgrades. The WP community takes security very seriously and has always done its best to respond diligently to any known problems, but all that work is for naught if you don’t upgrade. Hosting an application yourself is a responsibility. In the future we’re hoping to make this whole thing easier, for example with built-in functionality like WPAU. Until that day though, I hope the above helps. Feel free to copy, republish, or steal this post in whole or part for whatever you like.

Nivi, a blog I’m subscribed to, was showing dozens and dozens of entries being updated even though there was no discernible difference. However as I started looking closer, I noticed if you view the source, for example on this post, there is are ton of spam links there. You can click the screenshot to the left.

The implications of this are disturbing. His blog was hacked (which isn’t unusual and could have been for a thousand reasons like another account on his server being hacked, and old version of phpBB or other software) but instead of doing anything obvious to disturb the content of the site they invisibly modified his posts using CSS-hidden text. He has probably had hundreds of posts modified. I can’t imagine cleaning it up will be pleasant.