Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 11 August 2008

iTunes Store Phish

Posted on 14:51 by Unknown
In the middle of my 5,000 copies of the newest CNN Alert spam, I had an email from iTunes. I have to tell you, it made me mad. I assumed it meant that my children had been shopping on my iTunes account, and had done something wrong with my account. (love you, K-Dub! love you, Zach!)

And that's why I thought it worth writing about. We hear so much about Phishing, and its almost always described as "a counterfeit bank website", and then usually the definition is extended to say "mumblemumble Paypal mumblemumble eBay", since they don't really fit in to the "banking" concept of Phishing.

The subject of the email was "Important: Billing Problem" and the From: address was "iTunes Store".

The punchline of the email was:


We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?

To ensure that your service is not interrupted, please update your billing information today by clicking here , After a few clicks, just verify the information you entered is correct.




The "click here" part pointed to this website:

http://www.rofilme.net/m_subtitrari/store.apple.com/us/

which does a pretty good job of looking like an Apple Store, doesn't it?



Clearly this particular criminal is relying on the fact that we aren't going to suspect a non-banking site of being phishing. More evidence? The same site where this phishing site is hosted, "rofilme.net", was used last week as an AOL Billing phish, with the address:

http://www.rofilme.net/m_subtitrari/my.screename.aol.com/_cqr/login/sitedomain/bill.aol.com/sslsecure/update/

Its a rather complex phish . . . the Apple Store phish actually runs a "verify.php" file on another server, http://www.satc.net/gallery/washington_d.c./verify.php, which stores the stolen data in a .txt file. The first set of credentials was given up right at six hours ago, and so far there are 44 plausible sets of identities in the file. Not a huge harvest, but enough to cause a headache for at least 44 people.

The format of the harvested identities text file looks like this:

-----------------------------------
FirstName : Txxxx
Last name : Bxxxx
Address : 9xxxxxx
City : Sxxxxx
State : Tx
Zipcode : 79549
Country : US
PhoneNumber Ext : 3xx
Phone : 5xx.xxxx
Card number : 40034xxxxxxxxxx
Expiry month : January
Expiry year : 11
CVV2 : xxx
Mother's maiden name : bxxxxx
SSN : 462xxxxxx
Birth day : 24
Birth year : 1951
Birth month : 09
Email : txxxxx@yahoo.com
Password : xxxxx
Mon Aug 11, 2008 2:22 pm
6x.1xx.2xx.6x
------------------------------

As you can see, I gave some "xxxx" to protect this person's identity.

So, just a reminder, gentle reader . . . when someone wants your identity, it doesn't have to be a BANK site to be a PHISH.
Email ThisBlogThis!Share to XShare to Facebook
Posted in phishing | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • A Dark and STORMy Night
    Just in time for the spookiest night of the year, the Storm botnet recruitment spam switched to a Halloween flavor. On the evening of Octobe...
  • TJX Update: The San Diego Indictments
    As promised, here is the update regarding the eight individuals charged in San Diego in connection with "the TJX bust". There wer...
  • Help stop the Osama bin Laden Videos on Facebook
    If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with in...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Facebook Safety & Million Member Facebook Groups
    Two of my friends today invited me to join "Million User" facebook groups. Not that it matters really, but the two groups were: P...
  • First 2008 Presidential Spam Campaign?
    Does Ron Paul suddenly have a strong support base among foreign computer owners with strange names and multiple personalities? or is it poss...
  • 70 Romanian Phishers & Fraudsters Arrested
    On March 4th, FBI Director Robert Mueller was given a speech on Cybercrime to the RSA conference where he mentioned that: And we have worke...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ▼  August (22)
      • Hurricane Gustav: Fraud Watch
      • Banking Digital Certificate Malware in Spam
      • E-cards Run Wild. Where are the Anti-Virus Compan...
      • Leave Those Viruses at SCHOOL!
      • Celebrity Spam-Off: Will Paris Hilton Overtake An...
      • Shadow Botnet case may yield spammer Leni Neto
      • More Online Pharmacy Affiliates Indicted
      • Evidence that Georgia DDOS attacks are "populist" ...
      • One third of current spam points to malware sites
      • New BBC spam mocks Georgia's President, Spreads Ne...
      • Can You Pick the Real MSNBC.Com Breaking News?
      • MSNBC Breaking News replaces CNN Spam Wave
      • Anti-Virus Products Still Fail on Fresh Viruses
      • iTunes Store Phish
      • The UAB Spam Data Mine: Looking at Malware Sites
      • TJX Update: The San Diego Indictments
      • TJX Update: The Boston Indictments
      • Linking all the News Spam together (CNN.com Daily ...
      • CNN Spam Diversifies . . .
      • TJX Reminder: "We Will Arrest You, and We Will Sen...
      • CNN Lends Authenticity to News Spam
      • Another Insider Busted: Countrywide Financial Analyst
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile