Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 11 August 2008

iTunes Store Phish

Posted on 14:51 by Unknown
In the middle of my 5,000 copies of the newest CNN Alert spam, I had an email from iTunes. I have to tell you, it made me mad. I assumed it meant that my children had been shopping on my iTunes account, and had done something wrong with my account. (love you, K-Dub! love you, Zach!)

And that's why I thought it worth writing about. We hear so much about Phishing, and its almost always described as "a counterfeit bank website", and then usually the definition is extended to say "mumblemumble Paypal mumblemumble eBay", since they don't really fit in to the "banking" concept of Phishing.

The subject of the email was "Important: Billing Problem" and the From: address was "iTunes Store".

The punchline of the email was:


We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?

To ensure that your service is not interrupted, please update your billing information today by clicking here , After a few clicks, just verify the information you entered is correct.




The "click here" part pointed to this website:

http://www.rofilme.net/m_subtitrari/store.apple.com/us/

which does a pretty good job of looking like an Apple Store, doesn't it?



Clearly this particular criminal is relying on the fact that we aren't going to suspect a non-banking site of being phishing. More evidence? The same site where this phishing site is hosted, "rofilme.net", was used last week as an AOL Billing phish, with the address:

http://www.rofilme.net/m_subtitrari/my.screename.aol.com/_cqr/login/sitedomain/bill.aol.com/sslsecure/update/

Its a rather complex phish . . . the Apple Store phish actually runs a "verify.php" file on another server, http://www.satc.net/gallery/washington_d.c./verify.php, which stores the stolen data in a .txt file. The first set of credentials was given up right at six hours ago, and so far there are 44 plausible sets of identities in the file. Not a huge harvest, but enough to cause a headache for at least 44 people.

The format of the harvested identities text file looks like this:

-----------------------------------
FirstName : Txxxx
Last name : Bxxxx
Address : 9xxxxxx
City : Sxxxxx
State : Tx
Zipcode : 79549
Country : US
PhoneNumber Ext : 3xx
Phone : 5xx.xxxx
Card number : 40034xxxxxxxxxx
Expiry month : January
Expiry year : 11
CVV2 : xxx
Mother's maiden name : bxxxxx
SSN : 462xxxxxx
Birth day : 24
Birth year : 1951
Birth month : 09
Email : txxxxx@yahoo.com
Password : xxxxx
Mon Aug 11, 2008 2:22 pm
6x.1xx.2xx.6x
------------------------------

As you can see, I gave some "xxxx" to protect this person's identity.

So, just a reminder, gentle reader . . . when someone wants your identity, it doesn't have to be a BANK site to be a PHISH.
Email ThisBlogThis!Share to XShare to Facebook
Posted in phishing | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • More Merger Malware Wachovia Wells Fargo
    Today I received a message from Robert K. Steel, the President and CEO of Wachovia Bank. Actually I received several hundred messages from ...
  • Radical Muslim Hackers Declare CyberWar on Israel
    This weekend more than 300 Israeli websites have been defaced in a period of 48 hours. In a website "defacement" a hacker violate...
  • Aggrevated Identity Theft Law in Action
    There are so many interesting angles to the story this week about a case in Tucson, Arizona. The conviction actually went down in March 200...
  • Bank of America Demo Account - DO NOT CLICK
    Beginning on November 25th, the UAB Spam Data Mine has been receiving messages claiming to be from Bank of America which will explain to us ...
  • AffPower Indictments Scare Affiliates!
    Today I heard the news that the "AffPower" drug network is being shut down, starting with 18 arrests in Texas, Florida, Colorado, ...
  • Securing Cyberspace in the 44th Presidency: Part Two
    Yesterday I provided some context for the Center for Strategic and International Studies report which was published yesterday: Security Cyb...
  • Italian Court declares itself Friend of Pirates (or does it?)
    I couldn't believe this one. The Associated Press reported yesterday that Italian high court says file-swapping is not illegal . In this...
  • Internet Landfill: McColo Corporation
    Brian Krebs has turned his sights on another Internet Landfill, this time the McColo Corporation. Today his column is titled: Major Source...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ▼  August (22)
      • Hurricane Gustav: Fraud Watch
      • Banking Digital Certificate Malware in Spam
      • E-cards Run Wild. Where are the Anti-Virus Compan...
      • Leave Those Viruses at SCHOOL!
      • Celebrity Spam-Off: Will Paris Hilton Overtake An...
      • Shadow Botnet case may yield spammer Leni Neto
      • More Online Pharmacy Affiliates Indicted
      • Evidence that Georgia DDOS attacks are "populist" ...
      • One third of current spam points to malware sites
      • New BBC spam mocks Georgia's President, Spreads Ne...
      • Can You Pick the Real MSNBC.Com Breaking News?
      • MSNBC Breaking News replaces CNN Spam Wave
      • Anti-Virus Products Still Fail on Fresh Viruses
      • iTunes Store Phish
      • The UAB Spam Data Mine: Looking at Malware Sites
      • TJX Update: The San Diego Indictments
      • TJX Update: The Boston Indictments
      • Linking all the News Spam together (CNN.com Daily ...
      • CNN Spam Diversifies . . .
      • TJX Reminder: "We Will Arrest You, and We Will Sen...
      • CNN Lends Authenticity to News Spam
      • Another Insider Busted: Countrywide Financial Analyst
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile