According to a research from Symantec, the Kelihos botnet has started sending spam e-mails that claim to be security alerts from Apple, informing recipients that a purchase was made using their Apple ID from the iTunes Store.

The rogue e-mails bear the subject ‘Pending Authorization Notification’ and claim that the purchase was made from a computer or a device not previously linked to the user’s Apple ID. The emails list an Internet Protocol (IP) address from where the purchase was allegedly initiated.

The fake messages instruct users to click on a link if they didn’t initiate the purchase. The link leads to a phishing website that masquerades as the Apple ID log-in page and steals the credentials inputted by users.

The Kelihos botnet cyber-criminals are known for exploiting current events. In August 2014 they launched a spam campaign that encouraged Russian-speaking users to install a program on their computers so they can be used in distributed denial-of-service (DDoS) attacks against Western government websites in response to the recent international sanctions against Russia. The emails actually linked to a variant of the Kelihos malware, not a DDoS program.

To prevent unauthorized access to their accounts even when their user names and passwords are compromised, users are advised to turn on two-step authentication for their Apple ID accounts.