A recent phishing scam targeting users of Apple Inc.’s .Mac and MobileMe online services has successfully duped hundreds into divulging credit card and other personal information, a security company said.
MobileMe is Apple’s subscription service that provides users with a personal e-mail address, Web hosting, file sharing capabilities, and online data synchronization between Macs, iPhones and other devices.
In phishing scams, crooks send a phony, official-looking e-mail that tries to entice recipients into revealing private information such as passwords, Social Security numbers, or credit card and banking account data.
This particular phishing campaign scammed between 100 and 200 people with mac.com addresses in just one day, according to Dan Clements, president of CardCops Inc., an identity protection service of Trumbull, Conn.-based Affinion Group Inc.,
CardCops, which uses automated bots and human investigators to scour the Internet’s underbelly – the chat rooms, sites and message forums frequented by cyber-criminals – uncovered a stash of records on a server that hackers use to house stolen information.
“We found 20 different files parked on the server,” said Clements, “each file with two or three or four, up to 20, profiles.”
The records, or “full profiles” as Clements dubbed them, included full names, mailing addresses, credit card numbers, card security numbers, birth dates, mother’s maiden names, and e-mail addresses and passwords.
“Cumulatively, there were about 300 profiles collected in that one day,” Clements said. “And 100 to 200 were mac.com addresses.”
After some additional investigation — which included calling many of the victims to verify that they’d fallen for the ploy – CardCops pieced together the crime.
“We realized that it was a phishing attack, of course, but also that these phishers timed it with an Apple event.”
Clements referred to the recent migration Apple conducted for subscribers of its older .Mac online service to MobileMe, the successor that launched just over a month ago.
“It looks like that raised the conversion rate of their captures,” he added, explaining the phishers’ success rate in tricking people into giving up credit card and other confidential information.
Earlier this week, there was another phishing attack using messages masquerading as Apple’s to ask MobileMe users to re-enter their credit card information because of a billing problem.
The e-mail looked like an official communication from Apple regarding MobileMe.
The message was convincing. “Some users we talked to were very sophisticated. But they still fell for this attack,” said Clements.
The e-mail said: “We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?”
Users were then invited to click on a link to enter that information, but that link opened a Web page in their browser that did not appear to be affiliated with Apple or MobileMe. (The other links in the e-mail did point to pages on Apple’s official Web site.)
A check of the link information revealed it was registered to a personal Gmail account originating in Bacau, Romania. It is unknown at this time if this is the person who sent the e-mail, or if his identity had been “spoofed” by the phisher.
This phishing e-mail message tries to get personal information from Apple’s MobileMe users.
These aren’t the only instances where phishers have used an Apple-run service to try and dupe users.
In May, iTunes Store users began receiving e-mail that appeared to be from Apple’s iTunes Store, suggesting that they must correct an apparent credit card problem.
In that case, the link in the spam message led to a site posing as an iTunes billing update page; that phony page asked for information – including credit card number and security code, Social Security number and mother’s maiden name.
Once revealed, could easily have been exploited by malicious users to commit identity theft or other crimes.
Security industry insiders note that it’s only relatively recently we’ve seen phishing scams targeting Apple sites.
“We’ve gotten used to seeing the usual companies and brands attacked, [such as] like PayPal, eBay and Citibank,” said Andrew Lochart, an executive with e-mail security vendor Proofpoint Inc. “But we’ve never seen Apple as the target.”
In a way, said Lochart, such phishing campaign are almost a compliment to Apple. “It’s probably indicative the bad guys see Apple’s online presence as large enough to be a target. It’s part and parcel of the success that Apple has enjoyed lately.”
In the case of the iTunes attack, Lochart also speculated that the service’s perceived demographics may have played a role.
“I wonder if the bad guys are thinking that [iTunes users] are younger than those for some of the other phished sites, like banks and eBay,” said Lochart. “The way that teenagers and young adults use the Internet, they show a certain level of trust or openness when they post their name and age and school on MySpace.”
On one hand, Lochart added, young people who grew up with the Internet are considered technologically savvier than their elders. “But then you see the way they use something like MySpace in a way that’s considered risky behavior.”
Although the phoniness of the link to the bogus iTunes account page might be overlooked in the spam e-mail, the URL is clearly not part of the official iTunes domain. They actually did a pretty poor job, Lochart said of the phishers.
By contrast the most recent MobileMe/.Mac phishing e-mails appear to be more cleverly designed.
For instance, researchers at Trend Micro Inc. say the attack was slick. In a blog post Tuesday, Trend’s Jovi Umawing said the message “looks clean and sleek, the text courteous and professional, hardly the kind that instantly gives away [it] away as a fake or scam.”
He also noted that some of the links in the bogus mail actually lead to legitimate Apple pages.
Clements pinned some of the responsibility on users’ trust in Apple. “Absolutely the case,” he said when asked if Apple customers’ faith in the company was a factor in getting so many to divulge information.