Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 11 August 2008

iTunes Store Phish

Posted on 14:51 by Unknown
In the middle of my 5,000 copies of the newest CNN Alert spam, I had an email from iTunes. I have to tell you, it made me mad. I assumed it meant that my children had been shopping on my iTunes account, and had done something wrong with my account. (love you, K-Dub! love you, Zach!)

And that's why I thought it worth writing about. We hear so much about Phishing, and its almost always described as "a counterfeit bank website", and then usually the definition is extended to say "mumblemumble Paypal mumblemumble eBay", since they don't really fit in to the "banking" concept of Phishing.

The subject of the email was "Important: Billing Problem" and the From: address was "iTunes Store".

The punchline of the email was:


We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?

To ensure that your service is not interrupted, please update your billing information today by clicking here , After a few clicks, just verify the information you entered is correct.




The "click here" part pointed to this website:

http://www.rofilme.net/m_subtitrari/store.apple.com/us/

which does a pretty good job of looking like an Apple Store, doesn't it?



Clearly this particular criminal is relying on the fact that we aren't going to suspect a non-banking site of being phishing. More evidence? The same site where this phishing site is hosted, "rofilme.net", was used last week as an AOL Billing phish, with the address:

http://www.rofilme.net/m_subtitrari/my.screename.aol.com/_cqr/login/sitedomain/bill.aol.com/sslsecure/update/

Its a rather complex phish . . . the Apple Store phish actually runs a "verify.php" file on another server, http://www.satc.net/gallery/washington_d.c./verify.php, which stores the stolen data in a .txt file. The first set of credentials was given up right at six hours ago, and so far there are 44 plausible sets of identities in the file. Not a huge harvest, but enough to cause a headache for at least 44 people.

The format of the harvested identities text file looks like this:

-----------------------------------
FirstName : Txxxx
Last name : Bxxxx
Address : 9xxxxxx
City : Sxxxxx
State : Tx
Zipcode : 79549
Country : US
PhoneNumber Ext : 3xx
Phone : 5xx.xxxx
Card number : 40034xxxxxxxxxx
Expiry month : January
Expiry year : 11
CVV2 : xxx
Mother's maiden name : bxxxxx
SSN : 462xxxxxx
Birth day : 24
Birth year : 1951
Birth month : 09
Email : txxxxx@yahoo.com
Password : xxxxx
Mon Aug 11, 2008 2:22 pm
6x.1xx.2xx.6x
------------------------------

As you can see, I gave some "xxxx" to protect this person's identity.

So, just a reminder, gentle reader . . . when someone wants your identity, it doesn't have to be a BANK site to be a PHISH.
Email ThisBlogThis!Share to XShare to Facebook
Posted in phishing | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ▼  August (22)
      • Hurricane Gustav: Fraud Watch
      • Banking Digital Certificate Malware in Spam
      • E-cards Run Wild. Where are the Anti-Virus Compan...
      • Leave Those Viruses at SCHOOL!
      • Celebrity Spam-Off: Will Paris Hilton Overtake An...
      • Shadow Botnet case may yield spammer Leni Neto
      • More Online Pharmacy Affiliates Indicted
      • Evidence that Georgia DDOS attacks are "populist" ...
      • One third of current spam points to malware sites
      • New BBC spam mocks Georgia's President, Spreads Ne...
      • Can You Pick the Real MSNBC.Com Breaking News?
      • MSNBC Breaking News replaces CNN Spam Wave
      • Anti-Virus Products Still Fail on Fresh Viruses
      • iTunes Store Phish
      • The UAB Spam Data Mine: Looking at Malware Sites
      • TJX Update: The San Diego Indictments
      • TJX Update: The Boston Indictments
      • Linking all the News Spam together (CNN.com Daily ...
      • CNN Spam Diversifies . . .
      • TJX Reminder: "We Will Arrest You, and We Will Sen...
      • CNN Lends Authenticity to News Spam
      • Another Insider Busted: Countrywide Financial Analyst
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile