Monday, August 11, 2008

iTunes Store Phish

In the middle of my 5,000 copies of the newest CNN Alert spam, I had an email from iTunes. I have to tell you, it made me mad. I assumed it meant that my children had been shopping on my iTunes account, and had done something wrong with my account. (love you, K-Dub! love you, Zach!)

And that's why I thought it worth writing about. We hear so much about Phishing, and its almost always described as "a counterfeit bank website", and then usually the definition is extended to say "mumblemumble Paypal mumblemumble eBay", since they don't really fit in to the "banking" concept of Phishing.

The subject of the email was "Important: Billing Problem" and the From: address was "iTunes Store".

The punchline of the email was:


We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?

To ensure that your service is not interrupted, please update your billing information today by clicking here , After a few clicks, just verify the information you entered is correct.




The "click here" part pointed to this website:

http://www.rofilme.net/m_subtitrari/store.apple.com/us/

which does a pretty good job of looking like an Apple Store, doesn't it?



Clearly this particular criminal is relying on the fact that we aren't going to suspect a non-banking site of being phishing. More evidence? The same site where this phishing site is hosted, "rofilme.net", was used last week as an AOL Billing phish, with the address:

http://www.rofilme.net/m_subtitrari/my.screename.aol.com/_cqr/login/sitedomain/bill.aol.com/sslsecure/update/

Its a rather complex phish . . . the Apple Store phish actually runs a "verify.php" file on another server, http://www.satc.net/gallery/washington_d.c./verify.php, which stores the stolen data in a .txt file. The first set of credentials was given up right at six hours ago, and so far there are 44 plausible sets of identities in the file. Not a huge harvest, but enough to cause a headache for at least 44 people.

The format of the harvested identities text file looks like this:

-----------------------------------
FirstName : Txxxx
Last name : Bxxxx
Address : 9xxxxxx
City : Sxxxxx
State : Tx
Zipcode : 79549
Country : US
PhoneNumber Ext : 3xx
Phone : 5xx.xxxx
Card number : 40034xxxxxxxxxx
Expiry month : January
Expiry year : 11
CVV2 : xxx
Mother's maiden name : bxxxxx
SSN : 462xxxxxx
Birth day : 24
Birth year : 1951
Birth month : 09
Email : txxxxx@yahoo.com
Password : xxxxx
Mon Aug 11, 2008 2:22 pm
6x.1xx.2xx.6x
------------------------------

As you can see, I gave some "xxxx" to protect this person's identity.

So, just a reminder, gentle reader . . . when someone wants your identity, it doesn't have to be a BANK site to be a PHISH.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.