The Mac Security Blog
A vast phishing attack has broken out, beginning on or around Christmas day, with e-mails being sent with the subject “Apple update your Billing Information.” These well-crafted e-mails could fool many new Apple users, especially those who may have found an iPhone, iPod or iMac under their Christmas tree, and set up accounts with the iTunes Store or the Mac App Store for the first time. The messages claim to come from “appleid@id.apple.com.” Here’s what the content looks like:
If you click on the link in the message, you will be taken to a realistic looking sign-in page, then, after entering your Apple ID and password, you’ll be taken to a page asking you to update your account profile, notably entering your credit card information. Again, this page looks realistic, and many of the elements it contains are taken from Apple’s own web pages.
So how do you know that this is a phishing e-mail? The first rule of thumb is to move your cursor over the link in the message and wait for a tooltip to pop up:
As you can see above, the URL that displays is not an apple.com address, but rather a numerical address (we’ve blurred the first part of the address). At the end of the address is a page called apple.htm, which could fool people, but that’s not what’s important. Always look at the part right after the http:// in the URL: if it’s not something.apple.com (it could be www.apple.com, store.apple.com, or something else), then it’s bogus.
We hope you’ll be careful if you’re new to Macs and Apple products. We work hard to keep Mac and Apple users safe from the many dangers of the Internet.
Last week, Epsilon, a major e-mail marketing firm, suffered a serious data breach, whereby hackers obtained e-mail addresses and user names for potentially millions of users who had signed up to receive e-mail updates from dozens of companies. The companies infected include banks (Capitol One, Barclay’s, Citigroup, JPMorgan Chase), stores (Walgreen, Kroger, Best Buy), and other web sites (TiVo, AbeBooks, Disney).
According to information made public about this breach, only e-mail addresses and user names were harvested. However, it is possible that for some of the affected sites, you may have entered a password, and if your password techniques are not very secure, you may have used a password that you use on many sites.
If the password in question is only for logging into web sites, and not for sites where you give credit card information, you have little to worry about. But for sites affected where you have provided credit card information, it is a good idea to change your password as soon as possible. Many web sites are notifying users of the breach, but not all will do so; because of this, it’s up to you to decide whether you should change passwords on multiple web sites or not.
For now, the extent of the breach is unclear. If, indeed, only e-mail addresses and user names were obtained, the worst one can fear is a large increase in spam and phishing e-mails. Intego software can help you fight against these threats. Intego VirusBarrier X6 includes a powerful anti-phishing tool, and Personal Antispam, Intego Internet Security Barrier, is an intelligent spam filter that learns from the e-mail you receive.
Some 50,000 stolen iTunes accounts are for sale on a Chinese auction site, according to the BBC. TaoBao, a popular Chinese auction site lists stolen iTunes sites, and sells them for “temporary access to unlimited downloads from the service for as little as 1 yuan (10p) a time.” Listings tell users that they are likely to only be able to access the accounts for 12 hours before they are shut down.
Most likely, the account information was not obtained by hacking into Apple’s servers, but rather by phishing or Trojan horses. Once an Apple ID (used for an iTunes Store account) and its password have been obtained, the possessor of the information will be able to buy any type of content on the iTunes Store as long as the account has credit, or is set up with a credit card. Most likely, the accounts get shut down once irregular activity is seen, hence the 12 hours that the sellers suggest the buyers will have to make purchases.
A French site reports today that phishing attempts are being made via iChat. In the example they show, the phishing page asks for an Apple ID and password, and this information could be used to access an iTunes Store account as well.
For all of these reasons, users should protect themselves against phishing and malicious websites (using the powerful features in Intego VirusBarrier X6), and should keep a close watch on their credit card statements. If they find unexpected charges, they should immediately change the password for their Apple ID, and then follow up with Apple and their credit card company.
Security researcher Nitesh Dhanjani has discovered a way that hackers could trick users into visiting fake websites by hiding their URLs. In a proof of concept example, Dhanjani shows users that a web page can display a graphic of a Safari browser window, showing a fake URL. After this page has loaded, Safari’s address bar disappears, leading users to believe that the URL they see in the graphic of the web page is the correct one. Phishing sites could create “pages” like this easily, leading users to believe that they are on valid web sites, and possibly convincing them to enter personal data such as passwords, credit card numbers or more.
One of the main reasons for this activity is the limited amount of screen space on mobile phones such as the iPhone. Safari scrolls up, hiding the address bar after a page has loaded, so users can see the content of web pages, but this activity can mislead users in cases such as the one demonstrated here.
iPhone users should be especially careful when loading pages for banks, web sites where they make purchases, and others where they enter sensitive information, if they have gotten to those sites by tapping a link. When in doubt, swipe up to see the address bar and check that you’re on the site you think you’re on.
Aza Raskin of Mozilla has demonstrated a new type of phishing attack that takes advantage of the way people user tabs in browsers. In this attack, a user visits a hacked web page. If they go away from that page for a certain amount of time – either to another tab in their browser, or to another window – the page reloads with a page that could be designed to trap users in a phishing scam. Assuming that the user has many browser tabs open, or many windows, they may return to the page and think that they had logged out of a certain service. In the above proof-of-concept example, a Gmail page is displayed, but this could be a bogus bank page, PayPal login page, or Amazon.com page.
This proof-of-concept demonstration works in Firefox and Safari (as well as other WebKit browsers), but we have not tested it with other browsers.
For now, there’s no way to indicate that the page has changed, and users should be extremely careful before logging into any webmail, bank or online commerce site page. Make sure to check the URL carefully if you see an unexpected login screen.
We’ve discovered a new type of phishing e-mail purporting to be from Amazon.com. Unlike previous phishing e-mails which tell the receivers that they need to log into their accounts, this e-mail merely shows products for sale. If the user receiver the e-mail is interested in one of these products, or if they simply click through to Amazon via one of the links in the e-mail, they’ll end up on a phishing site. The e-mail contains a selection of products, none of which stand out especially as being high-sales items (such as iPods, mobile phones, computers, etc.)
We weren’t able to see exactly what happens when one clicks on a link in this e-mail, because by the time we got it the site was already down. It’s likely, however, that you’d be prompted to enter your user name and password before going any further.
But the e-mail is very well-crafted, and should a user be interested by one of the products, they would certainly be tempted to click on a link. Since it’s not your usual phishing e-mail which immediately says you need to reactivate your account, it will draw less suspicion.
It looks like you’ll have to be more careful when clicking links on Amazon e-mails – or any e-mail for that matter. You can always see where the link is going by hovering your cursor over a link for a few seconds to see the link’s URL in a tooltip. And you can also check in your browser’s address bar to make sure that the URL is what you think it is.