Naeem Sarfraz

Blogging about Enterprise Architecture, ALM, DevOps & happy times coding in .Net

Netflix Purchase from Apple Store Scam

Over the past couple of weeks a couple of family members have been caught out by a very good phishing email purported to be from the Apple Store. Wikipedia describes phishing in the following terms.

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Here is a copy of the email.

itunes

Illusion of Authenticity

You’ll have to admit the email looks a good one and to the untrained eye you could easily fall for it. The colours play on Apple’s use of grey tones although the Apple logo is clearly missing. On receiving this email you’re immediately thinking what purchase? Let me investigate.

All of the links except one point to the Apple website, again adding to the picture this has come from a legitimate source. But if you’ve received this email out of the blue there’s only one thing you’re interested in and that’s cancelling the subscription. Has someone purchased a subscription from my account without me knowing? Did I forget to cancel my renewal? There’s only one way to answer these questions. Follow the Manage\Cancel Subscription link.

Spotting a Scam

Hovering over the Manage\Cancel Subscription link we see it points to http://www.beskidypark.com.pl/css/x/ (PLEASE do not enter your Apple ID if you follow this link), which is a domain registered in Poland. We know this because we can see the domain ends with .com.pl and a WHOIS search confirms this. Clearly not the Apple site. In fact if you go to the root domain you’ll see it appears to be the website for a hotel in Poland, something which a Google search also confirms.

So why is a Polish hotel aiding the scammers? They’re not. Their website is a Wordpress site and it appears to have been hacked. Those that have hacked the site have placed some code that redirects the visitor to a site that is designed to look like the Apple login page but more on that later. Why would they do this? They’re piggybacking off a reputable website and know access to it will not be blocked.

An Apple Login

Following the hacked link takes you to this page.

Capture

Again, looks pretty convincing. Many of the links on the site point to real links on the Apple website however the page does not belong to Apple and here’s how you can tell.

  1. Take a good look at the URL. It may say the word apple in there however look for the root domain name as it should be apple.com. In this case it’s id24supprt.com.
  2. Look for the padlock. The actual Apple login page uses SSL which ensures your username and password is passed to Apple it remains encrypted and therefore private. In Google Chrome look out for the green padlock as shown below.Capture2
  3. A spelling mistake. Everyone can make spelling mistakes and this is no sure way of spotting a scam but I noticed the password field was spelt incorrectly. Passwort ending with a t instead of a d.

Once the victim has used their real Apple username and password the site asks them for their billing address, credit card details, account name + sort code and other personal information. Enough information now to impersonate them and attempt to make fraudulent transactions.

In this particular scam the family members logged in using their actual apple username and password. Now the scammers have these details and they attempted to make a £1000 purchase in Debenhams which the bank fortunately picked up and blocked it and notified the account holder.

I’ve Fallen For This So What Can I Do?

  1. Change your Apple password immediately.
  2. If you’re using the same password on other websites go and change those passwords too.
  3. If you’re not using a password then consider doing so now. In this case it would not have filled out the login form as the URL does not match the Apple website URL. 1Password is highly recommended.
  4. Inform your bank that you think your card details may have been obtained fraudulently. I would consider actually cancelling the card itself and getting a new one.
  5. Report the scam to the Police on the Action Fraud website. Action Fraud is the UK’s national reporting centre for fraud and cyber crime where you should report fraud if you have been scammed, defrauded or experienced cyber crime.
  6. Report the phishing email to your email provider. For example here are instructions from Gmail on how to do that.

One final piece of advice, just remember that looks can be deceiving.