New phishing scam targets MobileMe users

[AppleInsider]

In another attempt to con MobileMe users into providing their credit card information, a scammer has sent out spam spoofed to appear to come from Apple, which directs users to a fake site designed to look like Apple's. Users who follow the email link and enter their information on the poorly formatted, fake Apple web page will be sorry.

The phony email

While sent with a spoofed sender address of noreply@me.com, the spam's headers indicate that it actually appears to originate from gamma.oxyhosts.com, a server operated by a web hosting outfit from the UK. The email contains formatting errors that should immediately tip off users, and directs to a sketchy URL: http.apple-billing.me.uk. The email's headers that indicate it was sent using Outlook Express, but those are only visible when the user examines the phony email's raw headers.

Of course, Apple itself has also sent out official MobileMe notices containing the same formatting error (below). Apple also doesn't sign or encrypt its official emails to users, a step that might help in thwarting the regular phishing attempts that target MobileMe users. While Apple pioneered certificate based security in iChat messaging for its MobileMe users, it has been a laggard in making it easy for users to sign and encrypt their MobileMe email using certificates issued by Apple, despite support in Mail and most other modern email clients to handle this.



The significant difference in the real message from Apple over the phony spam is that Apple's official email cites the account's User Name, the ending digits of their credit card number, and directs the user to navigate to MobileMe themselves to correct their information within the online account section, rather than providing a link to follow. Doing so would result in the user initiating a MobileMe web session secured via SSL before they are ever prompted to enter their private account information.



The phony website

There is no SSL security on the fake site users are directed to by the spam (pictured below). The fraud site is hosted by me.uk, a domain not affiliated with Apple, but which might sound reasonably correct to many users. The domain appears to be registered to "Nike Jegart, co 9 Vista Estrella South, Lamy, NM 87540."

Were the site to attempt to initiate an SSL connection, the EV (Extended Validation) phishing filters in most modern browsers might flag the site as suspicious, but that type of safeguard does nothing when no SSL session is even attempted. The formatting of the phony Apple Store page does raise some obvious red flags, but users shouldn't expect spammers to continue to flub in their phishing efforts.



As with any unsolicited email-based requests for identity or billing information, users should be cautious and suspicious. Verify that the browser has initiated an SSL connection and that the URL appears correct (although it can be easy to spoof the URL itself so that it appears to be legitimate). The best practice is to navigate to the billing site yourself rather than following an email-supplied link, even if the email appears to be legitimate.

In related news, Apple this week announced a number of improvements to MobileMe's web applications, which were detailed on AppleInsider's backpage blogs on Wednesday.

[ View this article at AppleInsider.com ]

[lilgto64]

I consider myself to be very computer savvy - I work on computers all day and advise others on computer related issues - and I almost fell for one of these scams related to PayPal. I had just placed an order using PayPal and I got an email along the line of this one asking for updated billing info - and I clicked the link and filled out the page and just as I was about to hit the send button I noticed the URL was some goofy thing like members.isp.com-someusername etc - and immediately closed the page - opened a new browser session and logged into my PayPal account - and checked that everything was correct. This was a couple years ago so the browsers were not as good as alerting you to this kind of problem - but as mentioned in the article if the site does not try to use SSL then the flags may not be raised. Another way to check on the authenticity of the email is to view the internet headers - sometimes they give away some info that might be hidden in the standard email. Of course that takes time - your advice to not use the email but rather to open a browser and put in the proper URL yourself is the best way to go.

[schildkroeter]

Well, anytime I see this kind of font, I immediately have a feeling in my gut that something is phony, especially when this is supposed to come from Apple.
I'm sorry for all those who fell for it.
The formatting error would've made even the official Apple email suspicious - if it had provided a link, I wouldn't have clicked it I think...

But yeah: give us a way to sign our mails! You are providing a certificate already for iChat, so why not use this too for email?

[digitalclips]

Comment out of date

[crees!]

This is where 1Password comes in-handy for those times you take your eye off the ball.

[digitalclips]

Quote:

Originally Posted by crees!

This is where 1Password comes in-handy for those times you take your eye off the ball.

Thanks for tip. I had never heard of this till Safari 4 came out and people said it broke it. I must look into it.

[razorpit]

What I don't understand is, how did they get the last 4 digits of people's credit cards, or are they the same on every e-mail?

[zeasar]

Quote:

Originally Posted by razorpit

What I don't understand is, how did they get the last 4 digits of people's credit cards, or are they the same on every e-mail?

That email is the real deal from apple, the others are fake.

[Lafe]

Quote:

Originally Posted by razorpit

What I don't understand is, how did they get the last 4 digits of people's credit cards, or are they the same on every e-mail?

The scam email doesn't appear to have that on it. The example of the real
email from Apple does show it.

[ivan.rnn01]

you see minor errors in non-english speaking counterpart's writing right away how come you send your credit card data on the request signed 'MobileMe' (Apple) yet lacking periods and spaces and mistaking letter case here and there

[success]

Quote:

Originally Posted by AppleInsider

Users who follow the email link and enter their information on the poorly formatted, fake Apple web page will be sorry.

Is that how the new disclaimers for everything will read now? "People who attempt these stunts will be sorry". "People who buy a Windows machine and expect too much from it will be sorry".

[lilgto64]

Quote:

Originally Posted by digitalclips

Just a friendly tip ... the etiquette police on this site will slam you for quoting the entire article especially as a self proclaimed computer expert, try Quick Reply next time ...

Sorry - it is rare that I am the first one to reply to an article - didn't realize I was getting the full quote - plus I'm on meds for a cold - so not quite clear headed today.

[digitalclips]

Quote:

Originally Posted by lilgto64

Sorry - it is rare that I am the first one to reply to an article - didn't realize I was getting the full quote - plus I'm on meds for a cold - so not quite clear headed today.

Been there done that lol
Hope you feel better soon.

[mdriftmeyer]

ADMINS: Can you please post grab images of the Raw Source in the email?

The Raw Source really shows the Mail headers and the actual fraud going on.

People have the power in their email client to create junk filters if they'd only look at their Raw Source header of the the sender.

[bbwi]

Well this clearly demonstrates that Apple isn't taking basic precautions to fight Spam. They should be using reverse DNS lookups, DomainKeys, and SPF

[carloblackmore]

My question is how would the scam email know the correct renewal date of the person receiving the email? Is it just a random date (which would be a huge clue that the email is fake); or did the spammer get access to that information somehow?

[HammerofTruth]

Is by not giving Apple your credit card for MobileMe. If you already have MobileMe, and want to renew it, buy it somewhere else cheaper and then use the code. My credit card they have on file expired and even though my email is the same as my apple ID for iTunes which has an updated credit card, they don't share the info between the two, at least not in my account. Same goes for my Xbox Live account. Since your not buying anything physical, its cheaper and easier to buy it somewhere else and just use the code.

[ivan.rnn01]

Quote:

Originally Posted by carloblackmore

My question is how would the scam email know the correct renewal date of the person receiving the email? Is it just a random date (which would be a huge clue that the email is fake); or did the spammer get access to that information somehow?

usually they don't. they may seize that date occasionally (phisher is a buddy actually, or a buddy of a buddy, he chanced to listen to some talks about etc.). their bet is rather the email recipient doesn't remember the exact date. you can't expect more of people, who don't care to write the email without errors...

[retroneo]

Quote:

Originally Posted by bbwi

Well this clearly demonstrates that Apple isn't taking basic precautions to fight Spam. They should be using reverse DNS lookups, DomainKeys, and SPF

Well Safari 4 grabs this as a phishing site...



But I guess a few people have to get caught out before it gets blacklisted...

[skittlebrau79]

Quote:

Originally Posted by retroneo

Well Safari 4 grabs this as a phishing site...



But I guess a few people have to get caught out before it gets blacklisted...

That's why blacklisting sucks for phishing. Phishing links can go live and then go down in a matter of hours. By the time a human looks at the fake URL, determines it is a real phishing site, updates the blacklist, pushes out the blacklist and the client downloads the blacklist, it can be more than an hour before a URL is blacklisted. PC Magazine tested Firefox 3's antiphishing (which uses the same Google blacklist as Safari) and it detected only 60% of the attacks.

Anti-spam programs have relied on heuristics for years, so nobody would in their right mind write an anti-spam program that used a blacklist. But anti-phishing still uses blacklists for the most part (not singling out Safari, the other browsers use it too) .

[hezekiahb]

Quote:

Originally Posted by razorpit

What I don't understand is, how did they get the last 4 digits of people's credit cards, or are they the same on every e-mail?

No, that was the official Apple e-mail. They were comparing what an actual e-mail from Apple would look like to the phony. Phony will never have your card info.

[mdriftmeyer]

Quote:

Originally Posted by skittlebrau79

That's why blacklisting sucks for phishing. Phishing links can go live and then go down in a matter of hours. By the time a human looks at the fake URL, determines it is a real phishing site, updates the blacklist, pushes out the blacklist and the client downloads the blacklist, it can be more than an hour before a URL is blacklisted. PC Magazine tested Firefox 3's antiphishing (which uses the same Google blacklist as Safari) and it detected only 60% of the attacks.

Anti-spam programs have relied on heuristics for years, so nobody would in their right mind write an anti-spam program that used a blacklist. But anti-phishing still uses blacklists for the most part (not singling out Safari, the other browsers use it too) .

Blacklisting includes your "client" listing. No matter who the hell changes that status, if you have blacklisted the site you should continue to see this as an unsafe site.

[charlituna]

Quote:

Originally Posted by bbwi

Well this clearly demonstrates that Apple isn't taking basic precautions to fight Spam. They should be using reverse DNS lookups, DomainKeys, and SPF

not that any of that would help since it is super easy to put any return address you want in your emails. I could send one out right now that looks like it came from Steve Jobs. or even from Apple saying he's dead.

and it's pretty easy to fake the look of an apple press release if I wanted to.

which is what phishers are counting on. they make it look good and no one thinks twice. they whip out the credit cards and give up the info. or at least they do if they don't stop to think about how they bought that new computer in October and bought mobileme to go with it so there's no way a year has been up

[charlituna]

Quote:

Originally Posted by HammerofTruth

Is by not giving Apple your credit card for MobileMe. If you already have MobileMe, and want to renew it, buy it somewhere else cheaper and then use the code. My credit card they have on file expired and even though my email is the same as my apple ID for iTunes which has

where have you found it cheaper than $99 a year. outside of the discount at an apple store when you are also buying a computer or an iphone

but you are correct that it is safer to go to a retail store where you can pay cash for a new code and add it to your account . just like it is safer to go and buy an itunes gift card and load up your account that way instead of using an on file credit card (or you can do like a friend of mine and buy those prepaid CC gift cards)

Quote:

Originally Posted by retroneo

Well Safari 4 grabs this as a phishing site...

which is great for those that have Safari 4 but keep in mind that that is likely a fraction of folks since most aren't so gutsy about grabbing a beta. and the folks that might fall from such a scam are definitely not the type to grab anything that doesn't pop up in software update (and as i understand it, S4 isn't going to be released until snow leopard hits the shelves or very shortly before)

[skittlebrau79]

Quote:

Originally Posted by mdriftmeyer

Blacklisting includes your "client" listing. No matter who the hell changes that status, if you have blacklisted the site you should continue to see this as an unsafe site.

I don't know what you mean. The client has to download the blacklist first which is what takes the longest. There is no blacklisting functionality in Safari, and how would a user know what sites to blacklist anyway? Somebody at Google (well the company they buy their data from) has to blacklist the site, and then the new blacklist has to be pushed out to clients. If you mean people should be more careful about what sites they visit, sure I agree.

[bbwi]

Quote:

Originally Posted by retroneo

Well Safari 4 grabs this as a phishing site...



But I guess a few people have to get caught out before it gets blacklisted...

But, my point was that the email should never reach the users inbox

[bbwi]

Quote:

Originally Posted by charlituna

not that any of that would help since it is super easy to put any return address you want in your emails. I could send one out right now that looks like it came from Steve Jobs. or even from Apple saying he's dead.

This simply isn't true. The technologies that I listed prevent anyone from doing just that

[mdriftmeyer]

Quote:

Originally Posted by skittlebrau79

I don't know what you mean. The client has to download the blacklist first which is what takes the longest. There is no blacklisting functionality in Safari, and how would a user know what sites to blacklist anyway? Somebody at Google (well the company they buy their data from) has to blacklist the site, and then the new blacklist has to be pushed out to clients. If you mean people should be more careful about what sites they visit, sure I agree.

Blacklists with an sqlite3.x database running can periodically be pulled with snapshot changes to keep the clients current.

This sort of option either hasn't been a high priority or never thought inside Apple Systems Engineering.

[lilgto64]

Quote:

Originally Posted by carloblackmore

My question is how would the scam email know the correct renewal date of the person receiving the email? Is it just a random date (which would be a huge clue that the email is fake); or did the spammer get access to that information somehow?

They might be relying on all the confusion last year with renewal dates getting moved. My original renewal date was around October I think - but with the free extensions it actually ended up being in January. plus a message that says your credit card is set to expire could say your account expires in the next 6 months and that would cover 50% of the people who got the message. then if only 10% of those people have a card that is close to expiration (or who do not notice that the card is not close to expiring) then the scammers maybe get 1% or even less - the real question is how small a fraction of a percent of people do they need to fall for it in order for them to make a ton of money on fraudulent charges etc. even 1 tenth of 1 tenth of 1 percent of 1 million fake emails is 100 people.