Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 11 August 2008

iTunes Store Phish

Posted on 14:51 by Unknown
In the middle of my 5,000 copies of the newest CNN Alert spam, I had an email from iTunes. I have to tell you, it made me mad. I assumed it meant that my children had been shopping on my iTunes account, and had done something wrong with my account. (love you, K-Dub! love you, Zach!)

And that's why I thought it worth writing about. We hear so much about Phishing, and its almost always described as "a counterfeit bank website", and then usually the definition is extended to say "mumblemumble Paypal mumblemumble eBay", since they don't really fit in to the "banking" concept of Phishing.

The subject of the email was "Important: Billing Problem" and the From: address was "iTunes Store".

The punchline of the email was:


We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?

To ensure that your service is not interrupted, please update your billing information today by clicking here , After a few clicks, just verify the information you entered is correct.




The "click here" part pointed to this website:

http://www.rofilme.net/m_subtitrari/store.apple.com/us/

which does a pretty good job of looking like an Apple Store, doesn't it?



Clearly this particular criminal is relying on the fact that we aren't going to suspect a non-banking site of being phishing. More evidence? The same site where this phishing site is hosted, "rofilme.net", was used last week as an AOL Billing phish, with the address:

http://www.rofilme.net/m_subtitrari/my.screename.aol.com/_cqr/login/sitedomain/bill.aol.com/sslsecure/update/

Its a rather complex phish . . . the Apple Store phish actually runs a "verify.php" file on another server, http://www.satc.net/gallery/washington_d.c./verify.php, which stores the stolen data in a .txt file. The first set of credentials was given up right at six hours ago, and so far there are 44 plausible sets of identities in the file. Not a huge harvest, but enough to cause a headache for at least 44 people.

The format of the harvested identities text file looks like this:

-----------------------------------
FirstName : Txxxx
Last name : Bxxxx
Address : 9xxxxxx
City : Sxxxxx
State : Tx
Zipcode : 79549
Country : US
PhoneNumber Ext : 3xx
Phone : 5xx.xxxx
Card number : 40034xxxxxxxxxx
Expiry month : January
Expiry year : 11
CVV2 : xxx
Mother's maiden name : bxxxxx
SSN : 462xxxxxx
Birth day : 24
Birth year : 1951
Birth month : 09
Email : txxxxx@yahoo.com
Password : xxxxx
Mon Aug 11, 2008 2:22 pm
6x.1xx.2xx.6x
------------------------------

As you can see, I gave some "xxxx" to protect this person's identity.

So, just a reminder, gentle reader . . . when someone wants your identity, it doesn't have to be a BANK site to be a PHISH.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in phishing | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Indictments reveal $77 Million in Illegal Pill Sales
    Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA. The Daytona Beach News report...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Morocco based "Team Evil" reroutes prominent Israeli websites
    After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" ha...
  • Minipost: Google v. Pacific WebWorks
    I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by crea...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (93)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ▼  August (23)
      • Hurricane Gustav: Fraud Watch
      • Banking Digital Certificate Malware in Spam
      • E-cards Run Wild. Where are the Anti-Virus Compan...
      • Leave Those Viruses at SCHOOL!
      • Celebrity Spam-Off: Will Paris Hilton Overtake An...
      • Shadow Botnet case may yield spammer Leni Neto
      • More Online Pharmacy Affiliates Indicted
      • Evidence that Georgia DDOS attacks are "populist" ...
      • One third of current spam points to malware sites
      • New BBC spam mocks Georgia's President, Spreads Ne...
      • Can You Pick the Real MSNBC.Com Breaking News?
      • MSNBC Breaking News replaces CNN Spam Wave
      • Anti-Virus Products Still Fail on Fresh Viruses
      • iTunes Store Phish
      • Features and Tutorials
      • The UAB Spam Data Mine: Looking at Malware Sites
      • TJX Update: The San Diego Indictments
      • TJX Update: The Boston Indictments
      • Linking all the News Spam together (CNN.com Daily ...
      • CNN Spam Diversifies . . .
      • TJX Reminder: "We Will Arrest You, and We Will Sen...
      • CNN Lends Authenticity to News Spam
      • Another Insider Busted: Countrywide Financial Analyst
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile