Anatomy of an iTunes phish - tips to avoid getting caught out

Filed Under: Apple, Featured, Phishing

Do you know how to ride a bicycle?

It's easy, isn't it?

But do you remember how hard it turned out to be when you first tried?

Who would have thought?

We often forget that many things are "obvious" only with experience, meaning, in fact, that they're not really obvious at all.

That's why we do phishing walkthroughs fairly regularly on Naked Security.

The idea is to step you through a typical email phish, pointing out the telltale warning signs in the original email and the web pages that follow, so you know what to look for in future.

So, even if you'd back yourself to spot a phish every time, here's a step-by-step account that might help to save your friends and family in the future.

An iTunes phish

This phish arrived as a spam email claiming to be from Apple.

The App Store and iTunes boast tens of billions of music and app downloads between them, so the Apple brand is popular with scammers.

→ At the end of 2011, we investigated nearly 15,000 typosquats (deliberately misspelled domain names) for six brands. 86% of all possible one-character errors in typing apple.com had been registered, predominantly for disreputable purposes, the highest figure of the six.

Ripping off Apple's brand as a call-to-action in spam is hardly surprising: there's a good chance that any randomly chosen spam recipient will have dealt with Apple online before.

In this case, the scammers are trying to trick you into suspecting that someone else has been paying for downloads using your account.

You will see red flags in the images below, annotated with numbers to denote:

  1. Bad links. Unlikely domain names, no security (missing HTTPS), or both.
  2. Unlikely or erroneous content. Spelling mistakes and inconsistencies.
  3. Items that shouldn't be there. Spurious information requested or displayed.

They're hoping you'll click on the Transaction Details Here link as a first step to finding out what's going on:

The red flags in this email are:

  • Hovering over the link reveals a URL that is clearly unrelated to Apple. We have redacted it here, but it is a URL on a legitimate website that seems to have been hacked.
  • The From and Reply to addresses are unrelated to Apple and unlikely for any official email. (But be careful: the text that is displayed as the sender's address is part of the email itself, so a careful crook can make it look as legitimate as he wants.)
  • It's not the AppStore, it's the App Store.
  • Apple can verify your password, but not recover it. The company never stores your raw password, so it can't send it to you, and would never imply that it could.

The fake Apple Store

If you do click to see the claimed transaction details, the link directs your browser to a boutique website that sells perfumes and fragrances.

It's a legitimate business that was almost certainly running an insecure version of WordPress.

That allowed the crooks to implant their own content, and gave them a window of opportunity to use an otherwise-reputable domain name to serve their criminal purposes.

This hacked WordPress site then silently redirects your browser to the phishing site proper, bringing up a page with visual material ripped off from Apple, giving it a familiar and believable visual appearance:

Nevertheless, as in the email, there are red flags in all three of our categories:

  • A non-Apple URL that is requesting confidential information on an insecure (non-HTTPS) page.
  • Inconsistencies in visual appearance, probably due to sloppy copy-and-pasting by the crooks. For example, the heading "Purchase Confirmation" doesn't describe the rest of the page, and [Cancel transaction] is described as the "Confirm button."
  • Questions you would never usually be asked, even in a genuine payment transaction, such as credit limit, mother's maiden name, and so forth.

By the way, be cautious of what you infer from mistakes in a web page.

Obviously, if there are mistakes, they are a negative indicator, and you should assume you are dealing with a phish.

On the other hand, the absence of mistakes is not a positive indicator: it might tell you nothing more than that you are dealing with careful crooks.

The fake "SecureCode" screen

If you get this far, the crooks have already stolen a lot of Personally Identifiable Information (PII) from you.

The next step tries to trick you into "verifying" your identity by giving away your VISA or MasterCard SecureCode.

SecureCode is a secondary authentication system used in many transactions that requires you to verify yourself to your payment card provider in a separate step from providing your card details to the retailer.

The idea is that you present a password directly to VISA or MasterCard, not to the merchant, for an extra layer of validation.

The bogus SecureCode page looks like this:

Everything is wrong here, because a SecureCode verification isn't a secondary step requested by the merchant as a precursor to the transaction.

It's a separate step initiated by the payment card company once the merchant has gone ahead with the payment processing:

In this case, of course, you shouldn't see a SecureCode validation page, because there is no payment involved.

Remember that you're supposed to be challenging a transaction that has already been processed.

The reassurance page

You're in trouble now, because the crooks have your card details, plus your SecureCode password, plus enough information (at least with the less cautious sort of financial institution) to give them a good shot at phoning up and convincing your bank that they are you.

If they can do that, they may be able to redirect your statements, change the phone number you use for notifications and two-factor authentication, and even lock you out of your own account.

Any of these things would make it slower for you to spot that there was a problem, make it harder to report and fix the problem when you realised, and give the crooks more time to plunder your account.

So they enter the last phase of the phish, meant to reassure you that things have gone your way, not theirs:

This page is really just a bit of visual theatrics, but nevertheless you would expect it to have an Apple-based URL and to use HTTPS.

The final reassurance is that you are redirected to the real Apple Store, by way of avoiding an abrupt ending to the "transaction":

Ironically, even if you haven't been suspicious so far, this last step ought to set off warning bells, simply for what it is, rather than what it isn't.

Suddenly, and for the first time, you're on a URL that looks as though it really belongs to Apple and uses HTTPS.

Also, the site has some small but obvious visual differences from what you've been seeing all along.

So the last page might very well be what you need to throw the bogosity of the previous pages into stark relief.

If that happens, act at once: you still have a chance to beat the crooks, especially if they were intending to sell your credentials on to someone else, rather than to start bleeding you themselves.

Call your card issuer, and use the number printed on the back of your card to make sure you don't get tricked again!

Free Sophos UTM Home Edition

Want to block phishing emails and links for your friends and family on your home network?

If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?

You get all the features of our commercial product, including not just web and email filtering, but also a network intrusion detection system; full-blown VPN support; regular and frequent updates; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.

All for $0.

Click to go to download page...

Image of goldfish and net courtesy of Shutterstock.

, , , , ,

You might like

9 Responses to Anatomy of an iTunes phish - tips to avoid getting caught out

  1. Calvin Jones · 64 days ago

    Wow really enjoyed reading this. Thanks

  2. Vito · 64 days ago

    Nice article.

    BTW, I invented the word "bogosity", although I'm sure others may have legitimate claims to independency. It's such a perfectly sensible word. ;)

    • Laurence Marks · 63 days ago

      The "Car Talk" radio program has used the word "bogosity" for over two decades, Vito.

      • Vito · 61 days ago

        I first used it in 1977, Laurence... and I didn't get it from "Car Talk" or anyone else. But as I said, I'm not claiming that others haven't used or originated it independently. It's such a cool word!

        • Paul Ducklin · 61 days ago

          Samuel Johnson would have used it, I reckon. If he didn't, he should have :-)

  3. drdinosaur · 63 days ago

    I find it really annoying when information is redacted by security companies.

    • Paul Ducklin · 63 days ago

      Why? What would you have done with that one URL out of the 10s of 1000s of newly-infected websites that SophosLabs comes across each day?

      In the bigger scheme of things, don't you think it's reasonable to cut the company concerned a bit of slack to fix their server than to name and shame them, and them alone of all the other sites that day that turned out to be as bad or worse from a security point of view? They are a victim of crime themselves, after all.

      Isn't it at least as likely that someone reading the unredacted URL might think, "Hey, a server that I can hack into" than that someone might be saved from a phish (one that we have explained how to spot in advance anyway)?

      Imagine that a TV company were making a film on petty urban crime, and were cruising through your neighbourhood looking for some good location shots. Now imagine that your house had just been burgled because you forgot to close a downstairs window, and the cops turned up to take fingerprints and statements, so the filming crew thought, "That would make good footage."

      Would you like them to put your name and address into the footage just to make it a bit more real?

      If there were an obvious benefit to our readers' security in naming and shaming here, we would have done so. In this case, I just don't see the point. Some people might consider it good from a journalistic point of view (adds some "actuality"), but that's not what this article is about.

      • Mang · 63 days ago

        And it has the added benefit of protecting the terminally curious!

  4. ceanna · 63 days ago

    However!! GENUINE APPLE messages may include inaccurate information which make them appear that they are spam or phish. :-(
    One genuine Apple message locates the city of Cork in Greece when in fact Cork is in Ireland. This mistake was confirmed by Apple on their support telephone service.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog