MobileMe users hit by phishing scam

[AppleInsider]

A scammer is targeting MobileMe users with an email purporting to be from Apple. The email claims there are problems with the user's subscription renewal information, and directs them to a web site that asks them to reenter their credit card information.

The email (below) appears to come from no-reply@me.com, and looks fleetingly like something Apple might send, although the outdated graphics come from .Mac marketing materials.

Rather than directing users to login to their actual account at me.com and enter the SSL-protected accounts detail area, the phishing email links to a fraud site at http://natwestbgroups.com/www.apple.com/update.html.

That domain name was registered just three weeks ago from Name.com, a registrar in Hong Kong to "Pak Groups." The DNS registration for the domain points to Madih-ullah Riaz in Karachi, Pakistan, and cites a phone number and Microsoft Live Hotmail address.



Following the link takes users to a site that resembles Apple's site (below), in part because it directly uses Apple's graphics, JavaScripts, and CSS stylesheets to draw the page. The fake site also cites Apple's real customer service phone number and links to other legitimate pages.



However, clicking on 'continue' draws a dysfunctional verification page (below) and forwards any entered information to the scammer, identified as "Jude" by the webhost. The actual domain hosting the fraud site was laid out using Microsoft's FrontPage entry level web editing tool.



Users should always pay special attention to the URL specified by any hyperlinks in emails they receive. The best way to avoid being scammed is to manually type in the URL of the site you wish to visit, as it is possible to spoof URL listings in the browser just like the fake "from" address in the email above. Hovering over the email link in Mail would reveal that it does not link to Apple.com, but rather a fraudulent website (below).

[ View this article at AppleInsider.com ]

[joelesler]

Already been done, blogged, and resolved with Apple. This is just an update to the same old email.

http://blog.joelesler.net/2008/07/ma...t-aint-so.html

[crees!]

I posted some info with colorful language just for kicks.

[Prince]

Quote:

Originally Posted by joelesler

Already been done, blogged, and resolved with Apple. This is just an update to the same old email.

http://blog.joelesler.net/2008/07/ma...t-aint-so.html

Yes, this is a new attempt with different text. Did your report note the source of the scam, and was it the same? Also, how do you figure this has been "resolved with Apple," considering that anyone receiving the email could fall for it without any intervention possible by Apple?

[bryand]

Quote:

Originally Posted by Prince

Yes, this is a new attempt with different text. Did your report note the source of the scam, and was it the same? Also, how do you figure this has been "resolved with Apple," considering that anyone receiving the email could fall for it without any intervention possible by Apple?

Having learned of this attack, it should be quite easy for Apple to simply filter out the email from any mobile me accounts to ensure that it isn't delivered to anyone else.

[fuyutsuki]

Nat West is a large UK bank. Sounds like this guy had another target in mind when he registered that domain.

[bobertoq]

I wouldn't fall for that look at the URL. It's not Apple.com.

[Prince]

Quote:

Originally Posted by bryand

Having learned of this attack, it should be quite easy for Apple to simply filter out the email from any mobile me accounts to ensure that it isn't delivered to anyone else.

Some people wouldn't want Apple filtering their mail. Also, the mail is spoofed and appears to be coming from an exploited web server. This group can send out scam email from any number of sources, so you'd have to do pattern recog on the content of the email to actually stop it, and then they could change the content easily, just as spammers do.

The only current fix is informing users.

One interesting possibility in Google Chrome is the new malware/phishing API; it would allow Mail and Safari to plug into updates from Google and throw up dynamic warnings as new scams were discovered.

I don't really want Apple setting up filters that try to catch phish so I "don't have to," for the same reason I don't want Apple maintaining my entire spam filter. What about false positives?

"Solutions" to spam and phish are easy to think up but difficult to implement.

[bryand]

Quote:

Originally Posted by Prince

Some people wouldn't want Apple filtering their mail. Also, the mail is spoofed and appears to be coming from an exploited web server. This group can send out scam email from any number of sources, so you'd have to do pattern recog on the content of the email to actually stop it, and then they could change the content easily, just as spammers do.

The only current fix is informing users.

One interesting possibility in Google Chrome is the new malware/phishing API; it would allow Mail and Safari to plug into updates from Google and throw up dynamic warnings as new scams were discovered.

I don't really want Apple setting up filters that try to catch phish so I "don't have to," for the same reason I don't want Apple maintaining my entire spam filter. What about false positives?

"Solutions" to spam and phish are easy to think up but difficult to implement.

I wasn't suggesting a general phishing filter, but a specific filter to this specific email targeting mobile me users. Having been notified of a specific attack on their customers, it makes sense to filter this one particular email. I suppose if you want to receive phishing attacks, Apple could always notify you so you can opt out. I suppose the senders could change the email, but at least the initial attack would be stopped, and other attacks that are discovered could be stopped in like manner. That would be like a more narrowly targetted version of the malware/phishing api you are referring to in Chrome.

[VinitaBoy]

Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?

Phishers aren't known for their good grammar, mechanics, and usage.

[solipsism]

Quote:

Originally Posted by VinitaBoy

Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?

Phishers aren't known for their good grammar, mechanics, and usage.

We have Mac users on this forum with a technical background that spell things like MAC and i-Phone all the time. That spelling is the least of the evidence in the email.

I hope that Apple puts anti-phishing back into Safari. I know it was only beta, but it's one of the reasons I recommend FF to people on Macs who aren't very internet savvy. Some understand what a URL is pretty quickly, some don't. As stated, it doesn't replace knowledge, but it is extra protection and one that can help to educate the end user when they wonder why they have weird screen instead of the website they were expecting.

[paxman]

Quote:

Originally Posted by Prince

I don't really want Apple setting up filters that try to catch phish so I "don't have to," for the same reason I don't want Apple maintaining my entire spam filter. What about false positives?

"Solutions" to spam and phish are easy to think up but difficult to implement.

I am quite happy for Apple to filter my email. At the moment I have Mail pick up from gmail and I get virtually no spam. My Gmail spam folder is always full and I let it be. Occasionally I scan through just to keep an eye on it but I spend no more than a minute per week checking. I am not worried about false positives at all. Once in a blue moon I am alerted to something I haven't replied to. A couple of times I have found the missing email in the spam folder - problem solved.

This system is pain free and works for me personally and my business. If I loose the occasional sale it is easily made up for by the time I save not worrying. Because of good filtering spam is a non issue for me. Any request for anything including personal info from banks, eBay, isp's etc goes in the bin regardless. They have my phone number if they are serious.

[PeterJ72]

I thought MobileMe already filtered out junk email? I stopped receiving junk mail on my 'Mac account about 18 months ago. Funnily enough, when Apple were experiencing problems with the transition to MobileMe I started getting junk for a few days. Haven't received anything since.

[charlituna]

Quote:

Originally Posted by Prince

Yes, this is a new attempt with different text. Did your report note the source of the scam, and was it the same? Also, how do you figure this has been "resolved with Apple," considering that anyone receiving the email could fall for it without any intervention possible by Apple?

in truth about all they can do is warn users

"dear mobile me user

it has come to our attention that someone is sending out a fake email claiming to be from Apple and asking for personal financial information.

This email did NOT come from Apple. Any information provided on the pages linked in the email will not go to Apple but to a theft.

For your own safety, any time you receive an email from any company asking for any kind of personal information, especially financial, you should always go to the company's website by typing in the site address yourself (do not follow any links in the email), logging in and proceeding. This includes but is not limited to: Apple, your bank, your credit card companies, sites you shop such as Amazon.

if you have any questions, please contact Apple Support.

Thank you"

or something similar.

[winterspan]

I don't understand how people could be drawn into this. Disregarding the obviously invalid domain, I thought even novice users by know would be extremely skeptical of any email sent to them about needing "updated billing information" or whatever. They should always be taught to *NEVER* CLICK ON AN EMAIL LINK TO GO TO A COMMERCIAL WEBSITE! Always type in the web address!

[Messiah]

Quote:

Originally Posted by winterspan

I don't understand how people could be drawn into this. Disregarding the obviously invalid domain, I thought even novice users by know would be extremely skeptical of any email sent to them about needing "updated billing information" or whatever. They should always be taught to *NEVER* CLICK ON AN EMAIL LINK TO GO TO A COMMERCIAL WEBSITE! Always type in the web address!

I think it's perfectly understandable. The pages are drawn very well, using Apple's own graphics, typography and tone of voice. The brand proposition is spot-on.

But what I think is extremely clever, is that the scammers have picked a service from a vendor that has suffered a lot of reliability issues of late. The MobileMe fiasco has been well documented.

If I received an email from 'Apple', my initial thought wouldn't be 'is this really from Apple', but rather 'Apple's fcuked up my MobileMe account AGAIN'.

You wouldn't fall for a phishing email from your 'bank', but I think you could be forgiven for falling for an email from a 'service provider' that has suffered so many technical issues of late – and this is the true measure of just how badly the MobileMe fiasco has hurt Apple's brand. I suspect that those chickens are only now starting to come home to roost.

[Mr Underhill]

Quote:

Originally Posted by winterspan

I don't understand how people could be drawn into this. Disregarding the obviously invalid domain, I thought even novice users by know would be extremely skeptical of any email sent to them about needing "updated billing information" or whatever. They should always be taught to *NEVER* CLICK ON AN EMAIL LINK TO GO TO A COMMERCIAL WEBSITE! Always type in the web address!

Erm quite easy to get caught out as I should know. I got spanked back in 2001 by a fake Ebay page pointing to dodgy URL. The smart thing about it was the fake email arrived during a 2 hour period when a ton of items I was selling on Ebay where drawing last minute questions from potential buyers.

So if the timings right and your under pressure then it can be easy to catch anybody out. Embarrasing for me because I am an Internet markeing/development manager and should have known better

[Messiah]

Quote:

Originally Posted by Mr Underhill

Erm quite easy to get caught out as I should know. I got spanked back in 2001 by a fake Ebay page pointing to dodgy URL. The smart thing about it was the fake email arrived during a 2 hour period when a ton of items I was selling on Ebay where drawing last minute questions from potential buyers.

So if the timings right and your under pressure then it can be easy to catch anybody out. Embarrasing for me because I am an Internet markeing/development manager and should have known better

Exactly. People have a million and one things on their mind on a day-to-day basis, and when something as cleverly executed as this comes along, and it's contextually relevant, of course it's easy to be caught out.

I totally understand where you're coming from – every time I hear of a phishing scam, a part of me thinks 'damn, I would have fallen for that'.

Ebay sent me a similar email, and I said no, I wasn't going to update my details because there was no way that they could prove to me that 'they' weren't phishing me. They proved it by banning me from Ebay. Nice.

[bloggerblog]

maaan... I didn't get the email, I feel left out

[Stephenbw]

Quote:

Originally Posted by VinitaBoy

Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?

Phishers aren't known for their good grammar, mechanics, and usage.

I agree, although poor spelling and grammar are, unfortunately, increasingly common in some legitimate emails and websites.

However, I am not aware of Apple making such mistakes, so the missing apostrophe and typo in the request for 'Mothers Maiden Nane' should ring alarm bells

[Cubert]

Quote:

Originally Posted by VinitaBoy

Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?

Phishers aren't known for their good grammar, mechanics, and usage.

The "Get Started with .Mac Now" seems to be another obvious one.

[kresh]

Quote:

Originally Posted by joelesler

Already been done, blogged, and resolved with Apple. This is just an update to the same old email.

http://blog.joelesler.net/2008/07/ma...t-aint-so.html

How nice, but I don't read your blog and because of your arrogance I never will. So please stop spamming the forums with your blog and casting dispersions upon the articles posted for our enjoyment.

[Bishop of Southwark]

Quote:

Originally Posted by bobertoq

I wouldn't fall for that look at the URL. It's not Apple.com.

Sadly apple doesn't have a very good record when it comes to observing anti-fraud-educating URL practices.

They quite happily link people to URLs such as:

http://events.apple.com.edgesuite.ne...ent/index.html

(Linked from: http://www.apple.com/hotnews/article...wsf/index.html)



This practice does not educate consumers and there are plenty more examples of the like from them over recent years.

[kresh]

Quote:

Originally Posted by solipsism

We have Mac users on this forum with a technical background that spell things like MAC and i-Phone all the time. That spelling is the least of the evidence in the email.

I hope that Apple puts anti-phishing back into Safari. I know it was only beta, but it's one of the reasons I recommend FF to people on Macs who aren't very internet savvy. Some understand what a URL is pretty quickly, some don't. As stated, it doesn't replace knowledge, but it is extra protection and one that can help to educate the end user when they wonder why they have weird screen instead of the website they were expecting.

You will never be able to instill common sense through a technical solution. I mean how hard is it to realize that a company that you do business with will never contact you via email and try to update your banking information or any other personal information.

The best solution is to never give your personal info out when asked. Period. If someone emails you or even calls do not give anything out. Instead call the company using a telephone number that you know.

There is no browser that offers better security than a little common sense provides, including Chrome. If a user can't defend themselves from these feeble attempts to steal their money, then they really should not be doing business on the internet, they should go to a brick and mortar store where the cashier is keeping their credit card number :-)

Why should we have to wade through all the security pop-ups because some people have no common sense?

[brockway]

Why can't these scammers be tracked down and brought to justice? It's like there's a sniper out there and all we're told to do is to "put on a bullet-proof vest and be careful out there". If they are ultimately getting people's credit card info and using it, isn't there enough of a trail to reach the perpetrators of these crimes so that they can be dealt with as the criminals that they are? Getting tough with these phishers and scammers seems like it would go a long way in deterring others from following their same criminal behavior.

[internetworld7]

http://www.opendns.com is your best option if you use Safari as I do. You can say goodbye to these types of phishing attacks. If you use Firefox and OpenDns together then you will have two layers of anti-phishing protection.

Besides anti-phishing protection, your web surfing will be much faster and it's all free. 

[digitalclips]

Quote:

Originally Posted by bloggerblog

maaan... I didn't get the email, I feel left out

Nor me! This is discrimination!!

[digitalclips]

Quote:

Originally Posted by brockway

Why can't these scammers be tracked down and brought to justice? It's like there's a sniper out there and all we're told to do is to "put on a bullet-proof vest and be careful out there". If they are ultimately getting people's credit card info and using it, isn't there enough of a trail to reach the perpetrators of these crimes so that they can be dealt with as the criminals that they are? Getting tough with these phishers and scammers seems like it would go a long way in deterring others from following their same criminal behavior.

Off topic slightly but a good warning on related scam:
You'd think that was the answer wouldn't you! My wife and I have a couple of condos we rent out. One recently was rented by a guy in UK who came across the condo on a well known vacation rental web site as most of our bookings do. It wasn't until we got the e-mail explaining we would receive a check for more than he owed from a third party and asking us to 'wire using Western Union the extra to him did' we see it was a scammer. I called the FBI and a nice guy said there was nothing they could do till after we were scammed! The FBI guy told me that this scam goes on day in day out and work because the funds do show up in your bank after depositing the check due to the way banks work. Only after the suckers wire the excess do they learn the funds were not really in their account. He said there are insiders in Western Union and Banks in on these scams too. I was in disbelief of this until a friend here in Florida who runs a fishing boat charter admitted he was taken for $7,000 by this exact scam, again interestingly by a British based operation.

FBI told me: Never wire excess payments. Also do not even cash such a check and if you get such a check hold it and call FBI. Only accept the correct amount.

[solipsism]

Quote:

Originally Posted by kresh

Why should we have to wade through all the security pop-ups because some people have no common sense?

I don't expect the rest of the world to be as knowledgeable in the ways of the internet as we are on this forum. I know people whoa re new to computers and have spent so much of their lives without using the internet that their focus and concentration is all about grappling the little thing we take for granted. These people are not stupid in any way, just inexperienced. Should they not be allowed to use the internet until they've taken a gov't run course which gives them a license to ride the information highway? A part of me says that wouldn't be such a bad idea, but until then we have to realize that there are new people using the internet each day that don't know of the all plight Nigerian princes, would think fo Luke Skywalker if you said 'Star Wars kid',
couldn't tell you what Numa Numa is, and have never heard of phishing, much less how the computer in their home is gateway to losing any might they might have left.

Quote:

Originally Posted by digitalclips

Nor me! This is discrimination!!

Class action?

Quote:

Originally Posted by digitalclips

[...] It wasn't until we got the e-mail explaining we would receive a check for more than he owed from a third party and asking us to 'wire using Western Union the extra to him did' we see it was a scammer. [...]

A friend in Florida was scammed by someone in Florida using Western Union. There was absolutely nothing the police could do even within the same state.

Situation: Guy sees car engine on eBay for sale in Key West at a great price. A 'too good to be true' price. He contacts the seller. They talk about any forth on email. Then they move to using the phone. Friend wants to see the engine first and is willing to drive from Sarasota to Key West to see it. The seller says he is Miami right now and wants to make sure the buyer is on the up and up. In other words, has the funds available. The seller says he can use Western Union to send the money to himself, so it's under the buyer's name, not the sellers. So the seller can confirm the money is in this makeshift escrow account just email him the WU number that he got and he look verify it online. The seller was kind enough to only half of the $1,400 in 'escrow'.

Result: Within an hour the money was gone. It was pulled out of a WU kiosk by the seller. If the funds are under $1000 they don't require an ID. You can check a box for this that is hidden within the convoluted page you fill out, but it's not made obvious.

[auxio]

Quote:

Originally Posted by brockway

Why can't these scammers be tracked down and brought to justice

It's just slightly more complicated than that. First, how do you extradite or prosecute someone in Pakistan?

"The DNS registration for the domain points to Madih-ullah Riaz in Karachi, Pakistan"

Second, I'm guessing that either this guy's website was hacked and is being used by someone else for this purpose, or someone spoofed his name when registering that domain. The person behind a scam this elaborate isn't likely stupid enough to use a domain which leads directly back to them.

[Archipellago]

Interestingly, if the user was to click and be using IE7 or IE8 beta then more than likely the phish filter would have prevented any 'damage'

some phish attacks recently seem to have purposely attacked targets where a browser other than IE is likely to be used for this very reason.

oh and btw you would be amazed what some people will actually click on!

[Leithal]

And in other news.... <Any bank name here> users hit by phishing scam.

This happens a thousand times a day...

[Chris_CA]

Quote:

Originally Posted by bloggerblog

maaan... I didn't get the email, I feel left out

If it will make you feel better, you can send me your full name, date and place of birth, social security number, mother's maiden name, high school attended and 3-4 valid credit card numbers with the 3 digit security code.
I'll even sign you up for a free year of Mobile Me and as a Thank You, a brand new iPod touch delivered direct to your door!





(this is a joke peeps)

[Mr Underhill]

The rule of 1% applies here.

[Archipellago]

Quote:

Originally Posted by Mr Underhill

The rule of 1% applies here.

when it comes to Apple and iTunes in particular then not at all.

[charlituna]

Quote:

Originally Posted by Bishop of Southwark

Sadly apple doesn't have a very good record when it comes to observing anti-fraud-educating URL practices.

They quite happily link people to URLs such as:

http://events.apple.com.edgesuite.ne...ent/index.html

(Linked from: http://www.apple.com/hotnews/article...wsf/index.html)



This practice does not educate consumers and there are plenty more examples of the like from them over recent years.

yes but how many of them are like the one you posted and go to event pages and the like and now many go to pages that require you to input personal info.

[charlituna]

Quote:

Originally Posted by digitalclips

It wasn't until we got the e-mail explaining we would receive a check for more than he owed from a third party and asking us to 'wire using Western Union the extra to him did' we see it was a scammer.

forget a scam, my first thought was that it was someone trying to use you to clean some dirty money for them.

Quote:

I called the FBI and a nice guy said there was nothing they could do till after we were scammed

yep. outside of murder and a few other things, the law can't go in on the basis of 'they were trying to do something bad'. sucks but there you go.

I used to work for a retail bookstore and we had a run of attempts on a scam ourselves. it was really rather clever. we saw it from the first time and contacted all of the other chains to warn them (yes we were nice and helped out our competition). but we figure somewhere someone fell for it.

oh and then there's all those emails about being a political enemy and please help me hide my money. I have a friend that loves to get those and answers them. but takes the other side through hell in the process. it's funny

[charlituna]

Quote:

Originally Posted by kresh

Why should we have to wade through all the security pop-ups because some people have no common sense?

what we think of as common sense isn't always. and many browsers let you turn off those popups.

perhaps the answer to your question is to do something about instilling that common sense in folks.

that sweet little old lady next door got her first computer so she can talk to the grandkids across the country. why not go over one afternoon with a nice bundt cake and set her down for a little talk. or even offer to go talk to her bridge club. I'm sure that she'd be happy to have that nice young man -- remember him, he used to mow my grass for me when he was younger -- explain a few things about the internet and how to not get scammed by the not so nice young men.

I've done it several times. used to work with the local public library on meetings about identity protection, protecting kids on the internet etc.

[hezekiahb]

Quote:

Originally Posted by Stephenbw

I agree, although poor spelling and grammar are, unfortunately, increasingly common in some legitimate emails and websites.

However, I am not aware of Apple making such mistakes, so the missing apostrophe and typo in the request for 'Mothers Maiden Nane' should ring alarm bells

I have a set of rules I obey when dealing with the web to help protect myself.

1. Always have a throw away e-mail address to use for uncertain sites.
2. when asked to login & change account information for any web service always manually visit site & login, then navigate to accounts manually.
3. always double check links in an e-mail, you can put any text over the link you want.
4. Never trust personal information to social networking sites. You may be careful but your friends may not be.
5. Always be suspicious of "free". Nothing in life is free, there is a cost to be paid, though sometimes it's not you that pays it.
6. Learn how to use resources like truthorfiction.com or snopes.com
7. Keep a different password for social sites vs passwords used for more important things like banking.
8. Be paranoid about presentation quality, spammer e-mails are often ugly cause they're thrown together. Companies put a lot of money behind PR, they don't make mistakes often.
9. weigh your budget, it might be well worth it to pay for identity theft insurance.
10. USE A Mac! Vast majority of identity theft still occurs through malware, & all of that is for PC.

Probably could add a few but these 10 will eliminate almost all chance of being taken by these scams.

[imp]

Quote:

Originally Posted by auxio

It's just slightly more complicated than that. First, how do you extradite or prosecute someone in Pakistan?

"The DNS registration for the domain points to Madih-ullah Riaz in Karachi, Pakistan"

Second, I'm guessing that either this guy's website was hacked and is being used by someone else for this purpose, or someone spoofed his name when registering that domain. The person behind a scam this elaborate isn't likely stupid enough to use a domain which leads directly back to them.

A simple Google search shows that that Mr Riaz has been previously been involved in black hat password cracking, credit card scams and the like. The modus operandi seems to be identical, even if this time he's given the FBI an inside lead on him by failing to anonymise his registrar details.