Criminals are banking on post-Thanksgiving turkey-eating coma and Black Friday shopping frenzy in the US to trick American internet users to click through to malware posing as a $50 iTunes gift certificate.
(Black Friday is the name given to the Friday after US Thanksgiving, when frenzied seasonal shopping typically starts.)
The research team from German email security provider eleven wrote on Monday about a wave of emails allegedly containing vouchers to the iTunes Store.
The spoofed email is purportedly from the iTunes Store, the subject line reads iTunes Gift Certificate, and the message includes an attachment that supposedly contains a certificate code:
The attachment is a ZIP file containing malware. (Sophos detects this file as Mal/BredoZp-B.)
As the holidays ramp up, so do scams like this. It’s understandable that cash-strapped holiday shoppers might be click-happy enough to try to lighten their holiday with $50 worth of free music, video and games.
Avoiding click-candy like this phony iTunes certificate is one way to keep cyber-safe over the holidays.
Here are some other things to watch out for, adapted from a list posted by USA Today:
* Beware bogus forms. Beware emails and pop-up messages that ask you to type your account username and password, credit card number or personal information such as Social Security number and date of birth. Legitimate organizations don’t solicit sensitive information via email.
* Don’t blindly believe urgent, personalized warnings. Phishers often claim that you need to take urgent action with official organisations such as IRS (taxation), Social Security or the Department of Motor Vehicles.
* Don’t fall for that cute-baby photo. Even if you recognise the sender’s name, don’t open attachments. Distrust all email until and unless you’ve verified that the sender actually intended you to get the message and can vouch for its content.
Happy Thanksgiving, stay safe, and may your holiday shopping sprees be festooned with real coupons and real deals, not stinkers like this iTunes bait.
One comment on “Fake iTunes gift certificate delivers a load of malware for Black Friday shoppers”
It would be helpful, in cases like this, to indicate what manual steps are required for the malware to infect the computer. For instance, is it necessary to:
* open the zip file attachment?
* open the executable program within the zip file?
* provide a password when prompted?