Phishing for Apple.com Customers
 
     
 

I don't like spam. I receive a lot of it, and I despise it. I see it as theft. My bandwidth and time are being used without my permission. Spammers steal bandwith and internet access in order to deliver their crap to my inbox. I don't want it and I don't like it. I report spam to ISP's, upstream providers, the FTC, and any reporting agency that I feel is appropriate, based on the content of the spam. Spam will not go away by processing it with the delete key! You have to fight it!

Here's one example of how spammers are attempting to steal your identity and money - (taken from WikiPedia.org) Phishing - In computing, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from PayPal, eBay, Youtube or online banks are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a website. Phishing is an example of social engineering techniques used to fool users.[2] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Not long after (on the 30th of July, 2008) Apple introduced/launched their new MobileMe service (an updated version of it's .Mac services), I started receiving some rather sophisticated phishing emails from a spammer. I received the first at appx 0722AM (MDT). At first, I thought that it might be a valid email from Apple. It was addressed to my mac.com email address (which doesn't get much spam), and it didn't contain the usual slew of gramar and spelling errors. Still, the email contained some subtle hints that it might not be legitimate. So, I examined the source of the email message before clicking on any links or loading any images.

As soon as I started examining the email header, I realized that this was the work of some skum-sucking spammer. The IP address/domain of 87.106.16.18/s15216049.onlinehome-server.info were definitely not the sort that would send an email from Apple.com. While the image links pointed back to Apple.com, the fact that they were hijacking/using Apples bandwidth to deliver legitimate Apple.com images isn't all that unusual. Then there was the URL hidden behind the 'update' link. The email displayed an 'update' link of:

"update your billing information today by clicking here ,"

Notice the space between the word here and the comma? A legitimate email is unlikely to contain this sort of punctuation error. After examining the source code behind the body of the email, the destination URL was revealed to be: <a href="http://onlineauctionblock.com/logo/">clicking here</a> Clearly this is not an Apple.com destination. Anyone clicking on this link is re-directed to the spammers forged web site.

If you'd like to see the full source code of the email, I've linked it to my website: <http://www.robsworld.org/phishingemail.txt> The From: address of the email was a me.com address, the Return-Path: address led back to the email host that the spammer used to send the email, and the To: address was my mac.com address. In the text file referenced here, I've changed all the email addresses to <notarealemailaddress@example.org>. Why? Because otherwise, some spammer spider (web scraping bot) will find the file, and scrape the email addresses off the document. The domain 'example.org' is a specially reserved domain used to test websites and email services. Any email to that domain ends up in a bit bucket. It doesn't generate any bounce, doesn't clog someones inbox, doesn't get processed, etc. It's an internet dead-end.

If you'd like to see what the email looked like in my inbox (after loading the images - By the way, don't load the images from an email until you know (and trust) the source of the images), I've linked it to my website: <http://www.robsworld.org/phishingimage1.png>. Once again, I redacted (masked) the email addresses, so some spammer can't scrape the email addresses. The email sure looks like a legitimate Apple email. Especially once you load the images.

While Apple is experience a surge of new users, many of those users are young and inexperienced with the Apple brand. They may be teenagers, or first time computer users. Perhaps they're unfamiliar with the way an Apple email should look. Perhaps they're not that experienced when it comes to phishing scams. After all, spammers, scammers, and phishers typically avoid the Apple brand. Apple is very aggressive in the protection of it's image/brand, and this sort of email will likely come to the attention of Apple's stable of lawyers. Watch out spammer! Apple might come after you with a vengence (personally, I hope they do). If they don't it will only embolden other spammers and their ilk.

If you're one of the customers I described above, you might click the link thinking 'Hey, what's up? My credit card is good, why am I getting this email? - I better straighten this out ASAP!'. I know that I was concerned (at first). I'd made some purchases recently, and I even used a different credit card than I normally use. Clicking on the link takes the unwary (I used an anonymous proxy to check out the web site) to the spammers lair. Laying in wait was a highly sophisticated web site. It looked just like an Apple web site, and it was asking me to enter my credit card info and other personal data in order to 'Update my Billing Info'.

If you'd like to see what the web site looked like (without risking a visit to the spammer's website), I've linked it to my website: <http://www.robsworld.org/phishingimage1.png>. Both this image, and the one referenced above were shrunken down and modified to take up a little less room on my server. Otherwise, they are unaltered (excepted as noted above) as they appeared on the 30th of July, 2008.

As I mentioned earlier, I reported this spam. I reported it to the email web hosting providers associated with the phishing attempt. Within an hour and four minutes, the spammer's web site was shut down. How do I know? Because I received a second spam an hour and four minutes later. The same subject, same web site, same sender, etc. I checked the spammers website (using an annonymous proxy), and the web host had put up a banner that declared "This Account Has Been Suspended", "Please contact the billing/support department as soon as possible." Hopefully the spammer is stupid enough to contact the billing/support department. I hope they nab this scammer!

What's the point? - Two points. One: Don't get fooled by the Scammers, Spammers and Phishers. They're out there. They want your money, they want your identity, they'll do whatever it takes to get it. The annonymity of the internet makes thieves brave. Those who wouldn't dare confront you physically now have a way to assault you digitally. Be vigilant - If it smells like spam, don't click it. Examine the source, if it's spam, report it. Second point: Reporting spam works. By reporting this spammer, I got his web site shut down (or so I'm claiming! - Victory for me). My spam fighting efforts aren't going completely unnoticed. The web host was alerted to this illegal activity, and they acted in a responsible manner. They shut it down. Hopefully nobody got their bank account emptied by this scammer. If the web host is savy enough, and the spammer stupid enough, the authorities will be alerted, and one more spammer will find himself behind bars instead of behind the saftey of an annonymous email account.

 
     
 
Return to my Junk/Spam declaration page.
Author: Robert L. Vaessen e-mail: robert robsworld org
Last Updated:

This page has been accessed times since 30 Jul 2008.