MobileMe users hit by phishing scam

Posted:
in Mac Software edited January 2014
A scammer is targeting MobileMe users with an email purporting to be from Apple. The email claims there are problems with the user's subscription renewal information, and directs them to a web site that asks them to reenter their credit card information.



The email (below) appears to come from no-reply@me.com, and looks fleetingly like something Apple might send, although the outdated graphics come from .Mac marketing materials.



Rather than directing users to login to their actual account at me.com and enter the SSL-protected accounts detail area, the phishing email links to a fraud site at http://natwestbgroups.com/www.apple.com/update.html.



That domain name was registered just three weeks ago from Name.com, a registrar in Hong Kong to "Pak Groups." The DNS registration for the domain points to Madih-ullah Riaz in Karachi, Pakistan, and cites a phone number and Microsoft Live Hotmail address.







Following the link takes users to a site that resembles Apple's site (below), in part because it directly uses Apple's graphics, JavaScripts, and CSS stylesheets to draw the page. The fake site also cites Apple's real customer service phone number and links to other legitimate pages.







However, clicking on 'continue' draws a dysfunctional verification page (below) and forwards any entered information to the scammer, identified as "Jude" by the webhost. The actual domain hosting the fraud site was laid out using Microsoft's FrontPage entry level web editing tool.







Users should always pay special attention to the URL specified by any hyperlinks in emails they receive. The best way to avoid being scammed is to manually type in the URL of the site you wish to visit, as it is possible to spoof URL listings in the browser just like the fake "from" address in the email above. Hovering over the email link in Mail would reveal that it does not link to Apple.com, but rather a fraudulent website (below).



«13

Comments

  • Reply 1 of 41
    Already been done, blogged, and resolved with Apple. This is just an update to the same old email.



    http://blog.joelesler.net/2008/07/ma...t-aint-so.html
  • Reply 2 of 41
    crees!crees! Posts: 501member
    I posted some info with colorful language just for kicks.
  • Reply 3 of 41
    Quote:
    Originally Posted by joelesler View Post


    Already been done, blogged, and resolved with Apple. This is just an update to the same old email.



    http://blog.joelesler.net/2008/07/ma...t-aint-so.html



    Yes, this is a new attempt with different text. Did your report note the source of the scam, and was it the same? Also, how do you figure this has been "resolved with Apple," considering that anyone receiving the email could fall for it without any intervention possible by Apple?
  • Reply 4 of 41
    Quote:
    Originally Posted by Prince View Post


    Yes, this is a new attempt with different text. Did your report note the source of the scam, and was it the same? Also, how do you figure this has been "resolved with Apple," considering that anyone receiving the email could fall for it without any intervention possible by Apple?



    Having learned of this attack, it should be quite easy for Apple to simply filter out the email from any mobile me accounts to ensure that it isn't delivered to anyone else.
  • Reply 5 of 41
    Nat West is a large UK bank. Sounds like this guy had another target in mind when he registered that domain.
  • Reply 6 of 41
    I wouldn't fall for that \ look at the URL. It's not Apple.com.
  • Reply 7 of 41
    Quote:
    Originally Posted by bryand View Post


    Having learned of this attack, it should be quite easy for Apple to simply filter out the email from any mobile me accounts to ensure that it isn't delivered to anyone else.



    Some people wouldn't want Apple filtering their mail. Also, the mail is spoofed and appears to be coming from an exploited web server. This group can send out scam email from any number of sources, so you'd have to do pattern recog on the content of the email to actually stop it, and then they could change the content easily, just as spammers do.



    The only current fix is informing users.



    One interesting possibility in Google Chrome is the new malware/phishing API; it would allow Mail and Safari to plug into updates from Google and throw up dynamic warnings as new scams were discovered.



    I don't really want Apple setting up filters that try to catch phish so I "don't have to," for the same reason I don't want Apple maintaining my entire spam filter. What about false positives?



    "Solutions" to spam and phish are easy to think up but difficult to implement.
  • Reply 8 of 41
    Quote:
    Originally Posted by Prince View Post


    Some people wouldn't want Apple filtering their mail. Also, the mail is spoofed and appears to be coming from an exploited web server. This group can send out scam email from any number of sources, so you'd have to do pattern recog on the content of the email to actually stop it, and then they could change the content easily, just as spammers do.



    The only current fix is informing users.



    One interesting possibility in Google Chrome is the new malware/phishing API; it would allow Mail and Safari to plug into updates from Google and throw up dynamic warnings as new scams were discovered.



    I don't really want Apple setting up filters that try to catch phish so I "don't have to," for the same reason I don't want Apple maintaining my entire spam filter. What about false positives?



    "Solutions" to spam and phish are easy to think up but difficult to implement.



    I wasn't suggesting a general phishing filter, but a specific filter to this specific email targeting mobile me users. Having been notified of a specific attack on their customers, it makes sense to filter this one particular email. I suppose if you want to receive phishing attacks, Apple could always notify you so you can opt out. I suppose the senders could change the email, but at least the initial attack would be stopped, and other attacks that are discovered could be stopped in like manner. That would be like a more narrowly targetted version of the malware/phishing api you are referring to in Chrome.
  • Reply 9 of 41
    Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?



    Phishers aren't known for their good grammar, mechanics, and usage.
  • Reply 10 of 41
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by VinitaBoy View Post


    Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?



    Phishers aren't known for their good grammar, mechanics, and usage.



    We have Mac users on this forum with a technical background that spell things like MAC and i-Phone all the time. That spelling is the least of the evidence in the email.



    I hope that Apple puts anti-phishing back into Safari. I know it was only beta, but it's one of the reasons I recommend FF to people on Macs who aren't very internet savvy. Some understand what a URL is pretty quickly, some don't. As stated, it doesn't replace knowledge, but it is extra protection and one that can help to educate the end user when they wonder why they have weird screen instead of the website they were expecting.
  • Reply 11 of 41
    paxmanpaxman Posts: 4,550member
    Quote:
    Originally Posted by Prince View Post


    I don't really want Apple setting up filters that try to catch phish so I "don't have to," for the same reason I don't want Apple maintaining my entire spam filter. What about false positives?



    "Solutions" to spam and phish are easy to think up but difficult to implement.



    I am quite happy for Apple to filter my email. At the moment I have Mail pick up from gmail and I get virtually no spam. My Gmail spam folder is always full and I let it be. Occasionally I scan through just to keep an eye on it but I spend no more than a minute per week checking. I am not worried about false positives at all. Once in a blue moon I am alerted to something I haven't replied to. A couple of times I have found the missing email in the spam folder - problem solved.



    This system is pain free and works for me personally and my business. If I loose the occasional sale it is easily made up for by the time I save not worrying. Because of good filtering spam is a non issue for me. Any request for anything including personal info from banks, eBay, isp's etc goes in the bin regardless. They have my phone number if they are serious.
  • Reply 12 of 41
    I thought MobileMe already filtered out junk email? I stopped receiving junk mail on my 'Mac account about 18 months ago. Funnily enough, when Apple were experiencing problems with the transition to MobileMe I started getting junk for a few days. Haven't received anything since.
  • Reply 13 of 41
    Quote:
    Originally Posted by Prince View Post


    Yes, this is a new attempt with different text. Did your report note the source of the scam, and was it the same? Also, how do you figure this has been "resolved with Apple," considering that anyone receiving the email could fall for it without any intervention possible by Apple?



    in truth about all they can do is warn users



    "dear mobile me user



    it has come to our attention that someone is sending out a fake email claiming to be from Apple and asking for personal financial information.



    This email did NOT come from Apple. Any information provided on the pages linked in the email will not go to Apple but to a theft.



    For your own safety, any time you receive an email from any company asking for any kind of personal information, especially financial, you should always go to the company's website by typing in the site address yourself (do not follow any links in the email), logging in and proceeding. This includes but is not limited to: Apple, your bank, your credit card companies, sites you shop such as Amazon.



    if you have any questions, please contact Apple Support.



    Thank you"



    or something similar.
  • Reply 14 of 41
    I don't understand how people could be drawn into this. Disregarding the obviously invalid domain, I thought even novice users by know would be extremely skeptical of any email sent to them about needing "updated billing information" or whatever. They should always be taught to *NEVER* CLICK ON AN EMAIL LINK TO GO TO A COMMERCIAL WEBSITE! Always type in the web address!
  • Reply 15 of 41
    messiahmessiah Posts: 1,689member
    Quote:
    Originally Posted by winterspan View Post


    I don't understand how people could be drawn into this. Disregarding the obviously invalid domain, I thought even novice users by know would be extremely skeptical of any email sent to them about needing "updated billing information" or whatever. They should always be taught to *NEVER* CLICK ON AN EMAIL LINK TO GO TO A COMMERCIAL WEBSITE! Always type in the web address!



    I think it's perfectly understandable. The pages are drawn very well, using Apple's own graphics, typography and tone of voice. The brand proposition is spot-on.



    But what I think is extremely clever, is that the scammers have picked a service from a vendor that has suffered a lot of reliability issues of late. The MobileMe fiasco has been well documented.



    If I received an email from 'Apple', my initial thought wouldn't be 'is this really from Apple', but rather 'Apple's fcuked up my MobileMe account AGAIN'.



    You wouldn't fall for a phishing email from your 'bank', but I think you could be forgiven for falling for an email from a 'service provider' that has suffered so many technical issues of late ? and this is the true measure of just how badly the MobileMe fiasco has hurt Apple's brand. I suspect that those chickens are only now starting to come home to roost.
  • Reply 16 of 41
    Quote:
    Originally Posted by winterspan View Post


    I don't understand how people could be drawn into this. Disregarding the obviously invalid domain, I thought even novice users by know would be extremely skeptical of any email sent to them about needing "updated billing information" or whatever. They should always be taught to *NEVER* CLICK ON AN EMAIL LINK TO GO TO A COMMERCIAL WEBSITE! Always type in the web address!



    Erm quite easy to get caught out as I should know. I got spanked back in 2001 by a fake Ebay page pointing to dodgy URL. The smart thing about it was the fake email arrived during a 2 hour period when a ton of items I was selling on Ebay where drawing last minute questions from potential buyers.



    So if the timings right and your under pressure then it can be easy to catch anybody out. Embarrasing for me because I am an Internet markeing/development manager and should have known better

  • Reply 17 of 41
    messiahmessiah Posts: 1,689member
    Quote:
    Originally Posted by Mr Underhill View Post


    Erm quite easy to get caught out as I should know. I got spanked back in 2001 by a fake Ebay page pointing to dodgy URL. The smart thing about it was the fake email arrived during a 2 hour period when a ton of items I was selling on Ebay where drawing last minute questions from potential buyers.



    So if the timings right and your under pressure then it can be easy to catch anybody out. Embarrasing for me because I am an Internet markeing/development manager and should have known better





    Exactly. People have a million and one things on their mind on a day-to-day basis, and when something as cleverly executed as this comes along, and it's contextually relevant, of course it's easy to be caught out.



    I totally understand where you're coming from ? every time I hear of a phishing scam, a part of me thinks 'damn, I would have fallen for that'.



    Ebay sent me a similar email, and I said no, I wasn't going to update my details because there was no way that they could prove to me that 'they' weren't phishing me. They proved it by banning me from Ebay. Nice.
  • Reply 18 of 41
    maaan... I didn't get the email, I feel left out
  • Reply 19 of 41
    Quote:
    Originally Posted by VinitaBoy View Post


    Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?



    Phishers aren't known for their good grammar, mechanics, and usage.



    I agree, although poor spelling and grammar are, unfortunately, increasingly common in some legitimate emails and websites.



    However, I am not aware of Apple making such mistakes, so the missing apostrophe and typo in the request for 'Mothers Maiden Nane' should ring alarm bells
  • Reply 20 of 41
    cubertcubert Posts: 728member
    Quote:
    Originally Posted by VinitaBoy View Post


    Who needs URL tracking? Look at the first sentence in the email: "Thank you for choosing Mobileme." The second "m" isn't capitalized! Why would anyone read any farther into the text with that sure-fire reveal?



    Phishers aren't known for their good grammar, mechanics, and usage.





    The "Get Started with .Mac Now" seems to be another obvious one.
Sign In or Register to comment.