Yes, I got an iTunes gift card for Christmas – but HOW DID THE CROOKS KNOW THAT?

You are being doubly cautious for phishing campaigns over the holiday season, aren’t you?

Especially if you got a brand new iDevice for Christmas, and just set up an AppleID or an iTunes account to go with it.

Spammers and scammers don’t have to know anything about you to hit the bullseye in what might feel like a targeted attack.

Instead, they can just send millions, or even billions, of spams that play on the fears of, say, eBay sellers, or Gmail users, or iTunes customers.

By sheer chance, at least some of their recipients will recently have used their eBay, Gmail or iTunes account, or whatever.

A few of those may have just used that account for the very first time, or after a long absence.

That will make the sudden arrival of an apparently-relevant email seem that much more believable, and…

…if you’re not 100% sure that it’s a hoax, then what’s the harm in taking a look, just in case?

Your iTunes account has been frozen because we are unable to validate your account information.

Once you have updated your account records, we will try again to validate your information and your account suspension will be lifted. This will help protect your account in the future. This process does not take more than 5 minutes. To proceed to confirm your account details please click on the link below and follow the instructions.

Alert Naked Security reader @ohthisbloodypc sent in the email above, which he received after the post-Christmas weekend.

There must be plenty of people out there who haven’t used iTunes in a while, or even at all, but who received an Apple gift card over the holidays and decided it was worth taking a look around to see what to spend it on.

So the email above might seem surprisingly timely, even though it ought to be shouting the word, “Phish!”

→ Apple will not send you an email containing a login link, even (or perhaps especially) if there is a possible problem with your account. And even if Apple were to send you an email that contained links of some sort, albeit just marketing links, those links would not take you to a server with no obvious connection to Apple at all (see below).

If you do click through (don’t try this at home, folks – we did so from the safety of a Lab environment), you get an outrageously extensive form that urges you to supply huge amounts of personally identifiable information (PII):

Incidentally, the “hosting service” for this phish was an unwitting business in Siem Riep City, Cambodia:

Presumably, the company concerned set up a basic, static website and figured that was about the beginning and the end of its risk.

After all, with no active content, scripting or web forms to abuse, what possible danger could a few, hard-wired web pages pose to the internet as a whole?

But, as you can see, cybercrooks love ill-secured web servers.

After all, it doesn’t matter if you don’t have the right server-side software installed for the needs of modern-day cybercrime.

Once the crooks “own” your server, they’ll install it for you.

Or, more accurately, for themselves.

The bottom line

  • Think before you click. Dodgy emails often sound believable at first, either because the crooks know enough about you to refer to something you are interested in, or because they got lucky and mentioned something you are familiar with.
  • Don’t assume that crooks aren’t interested in you. You may have the smallest, simplest web server in the world, but if there’s a security hole, the crooks can use your domain, and your URLs, as a staging post for their cybercrimes.
  • Use two-factor authentication (2FA) if you can. Whether it’s for logging in to iTunes or for managing your web server, 2FA can help keep the crooks out. 2FA relies on one-time login codes, so the crooks can’t simply phish your password and use it over and over.

Learn more

Anatomy of an iTunes phish: Tips to avoid getting caught out.

Read why 2FA works: The power of two.

Read how to use 2FA: Understanding the options.

Enjoy our Sophos Techknow podcast: Two-factor Authentication.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)