Over the weekend, we encountered an interesting variation of a phishing email targeting Apple users. The email contained an alleged receipt for five movies purchased from the iTunes Store that was so detailed that the user who received it, and who knows better, still almost fell for the scam.
Figure 1. Phishing Apple email
Similar cases were reported in 2015 by users in the UK and Australia, except in those cases the fake receipt contained songs and books, respectively. Last year, similar emails targeting users in the US were also reported, although they contained several errors that identified them as scams, such as: the word “Invoice” instead of “Receipt”, the lack of a valid value for the “Billed to” field, the wrong amount in the total, etc. The latest variation targeting Canadian users, however, does not seem to contain any of those mistakes. In fact, all the chosen movies are recent, which gives the email a more realistic appearance.
At the bottom of the receipt, there’s a link to request a “full refund” in case of an unauthorized transaction. Needless to say, it does not redirect to the legitimate “My Apple ID” website, but to the URL hy654reewe(.)serveftp(.)org/serveritunescanada/index(.)html. Although this site was already offline at the time of this report, it was still possible to access the phishing website by replacing the domain name with the IP address, as shown in Figure 2, below.
Figure 2. Fake Apple website to steal credit card information
To request a “refund, the victim is directed to fill out an online form. Besides the normal spaces for entering credit card and other personal information information, the form also includes fields for entering a “Social insurance number,” which is the number needed in Canada to work or to access government programs and benefits, as well as for a “Mother’s Maiden Name,” which is one of the frequently asked questions used to recover a forgotten password.
Figure 3. POST request with the stolen data
When the user fills out the form and clicks the “Cancel transaction” button, the data is processed in plain text with a PHP script. After the site steals the data, the user is then redirected to the legitimate Apple website. As a side note, the email address firstname.lastname@example.org associated with this site is Norwegian.
In addition to the URL previously mentioned, further research led us to two other domains related to this phishing campaign that are also hosted on IP address 126.96.36.199:
Despite being so new, these phishing sites were already identified and blocked by Fortinet’s Web Filter, as noted by urlquery.net. And the information related to the phishing email and website had also already been reported to Apple.
Figure 4. Fragment of the report about the phishing URL in urlquery.net
To better protect you from these sorts of phishing attacks, we recommend you read Apple’s tips to help you identify legitimate emails from the iTunes Store. And in case you receive a suspicious email, you can also report it here.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.