{"id":6759,"date":"2017-02-23T08:41:04","date_gmt":"2017-02-23T16:41:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/23\/news-550\/"},"modified":"2017-02-23T08:41:04","modified_gmt":"2017-02-23T16:41:04","slug":"news-550","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/02\/23\/news-550\/","title":{"rendered":"Did you order those iTunes movies? Nope, it\u2019s just phishing for Canadian Apple users"},"content":{"rendered":"

Credit to Author: Lilia Elena Gonzalez Medina| Date: Thu, 23 Feb 2017 08:37:16 -0800<\/strong><\/p>\n

\n

Over the weekend, we encountered an interesting variation of a phishing email targeting Apple users. The email contained an alleged receipt for five movies purchased from the iTunes Store that was so detailed that the user who received it, and who knows better, still almost fell for the scam.<\/p>\n

\"Phishing<\/p>\n

Figure 1. Phishing Apple email<\/p>\n

Similar cases<\/a> were reported in 2015 by users in the UK<\/a> and Australia<\/a>, except in those cases the fake receipt contained songs and books, respectively. Last year, similar emails targeting users in the US were also reported<\/a>, although they contained several errors that identified them as scams, such as: the word “Invoice” instead of “Receipt”, the lack of a valid value for the “Billed to” field, the wrong amount in the total, etc. The latest variation targeting Canadian users, however, does not seem to contain any of those mistakes. In fact, all the chosen movies are recent, which gives the email a more realistic appearance.<\/p>\n

Phishing website<\/h2>\n

At the bottom of the receipt, there’s a link to request a “full refund” in case of an unauthorized transaction. Needless to say, it does not redirect to the legitimate “My Apple ID” website, but to the URL hy654reewe(.)serveftp(.)org\/serveritunescanada\/index(.)html. Although this site was already offline at the time of this report, it was still possible to access the phishing website by replacing the domain name with the IP address, as shown in Figure 2, below.<\/p>\n

\"Fake<\/p>\n

Figure 2. Fake Apple website to steal credit card information<\/p>\n

To request a “refund, the victim is directed to fill out an online form. Besides the normal spaces for entering credit card and other personal information information, the form also includes fields for entering a “Social insurance number,” which is the number needed in Canada to work or to access government programs and benefits, as well as for a “Mother’s Maiden Name,” which is one of the frequently asked questions used to recover a forgotten password.<\/p>\n

\"POST<\/p>\n

Figure 3. POST request with the stolen data<\/p>\n

When the user fills out the form and clicks the “Cancel transaction” button, the data is processed in plain text with a PHP script. After the site steals the data, the user is then redirected to the legitimate Apple website. As a side note, the email address terjxxxx@online.no associated with this site is Norwegian.<\/p>\n

Other URLs found<\/h2>\n

In addition to the URL previously mentioned, further research led us to two other domains related to this phishing campaign that are also hosted on IP address 109.228.49.213:<\/p>\n