16 Comments

Summary:

Trend Micro, the antivirus company, has a Malware Blog where they track all the bad stuff that can happen to your computer. Although the screenshots come from Windows machines, they did have one up this week that showed the Apple Store. Sneaky (and smart) phishers are […]

Trend Micro, the antivirus company, has a Malware Blog where they track all the bad stuff that can happen to your computer. Although the screenshots come from Windows machines, they did have one up this week that showed the Apple Store. Sneaky (and smart) phishers are sending emails that say there is a problem with your billing, and they weren’t able to process the payment. Pretty sneaky considering there are likely a lot of people who have just purchased a 3G iPhone. Very smart timing, if you ask me.

The email takes the user to an Apple look alike site that asks for the “user’s credit card type, credit card number, expiration date, security code, billing address and social security number.” In addition to the grief that comes with having your identity stolen, this info could give the phishers full access to all purchases that can be made from Apple: hardware, software, iTunes account, and iPhoto products.

This is one of the drawbacks of Apple’s great success. Unix is pretty solid and secure, but people have never put much effort into attacking Macs because of the economies of scale. Now that Macs are becoming more popular, we will likely see more malware attempts aimed at Apple hardware, software, and customers. Hopefully, it won’t ever get as bad as it is on any PC.

Don’t click on those links in emails. Go to the site directly. Be sure to check and make sure it is a secure website you are using. You can tell because it will start with https:// or have a lock in the status bar (not in Safari).

You’re subscribed! If you like, you can update your settings

  1. Brendan West Saturday, July 5, 2008

    You guys really should point out for Safari users a lock icon DOES appear in the upper right corner of a Safari window when you’re in a secure protocol (HTTPS).

  2. Anonymous Coward Saturday, July 5, 2008

    Apple needs to step up and improve the support for EV SSL certificates in Safari- this is what eBay/Paypal have been complaining about recently. Both IE7 and FF have this and, in IE7, the green address bar or dark red one give clear signals to the user regarding the state of the connection to the site. I’d like to see browsers start linking their password stores to not just the site URL but also the site certificate as this would give another indication that the user hasn’t visited the site before. There’s also a lot of work going with “Information Cards”, both from Microsoft and the open community, it’d be great to see Apple engage in that.

  3. David Cintron Saturday, July 5, 2008

    I think the posters claim that many would have recently purchased an iPhone 3G is a little off since it is not available for sale on the internet. Also it’s iPhone 3G, not 3G iPhone. Naming is very important.

  4. No, those colored bars really don’t give you as much comfort as you think. They, too can be fooled.

    There is NOTHING like being aware that NOBODY sends an email to their customers with a link to follow where you are asked for personal information. One should ALWAYS go to your vendor’s site using your own bookmarks, or better yet, just calling them to settle any possible problems.

    That is a cross platform issue, and is not unique to Macs or PCs.

  5. Anonymous Coward Saturday, July 5, 2008

    Re: colored bars from rwahrens. I absolutely agree that the colored bars are not a silver bullet solution. Similarly user education alone is also not a silver bullet – we’ve been trying that one for years and people are still caught by phishers and still responding to Nigerian e-mails. The solution involves both the application of technology *and* user education and, in this case, there’s absolutely no reason for Apple to not step up and do more in their browser to enable the use of EV certificates and provide greater feedback to users to help trigger them to think a little more before entering their personal data on a rogue site.

    Over time, assuming that the adoption of Apple hardware+software continues to rise, it’s just not going to be sufficient for Apple to try to rely on claims that *nix is just more secure, they are going to have to work on the problems proactively. Remember a recent browser hacking contest? First to fall…Apple, it took a lot more time to take down Vista and Linux didn’t break. With increased popularity comes increased responsibility.

  6. “this info could give the phishers full access to all purchases that can be made from Apple: hardware, software, iTunes account, and iPhoto products.”

    Umm… if they have your credit card info and SSN, they can buy anything from anywhere… not just Apple. I know this is “The Apple Blog” and all, but they’re not the only company that accepts credit cards for payment.

  7. No, those certificates are next to useless, they can be faked, and have been shown to have been. Then, where are you?

    I agree that OS manufacturers should step up, but then, perhaps, they should step up with something that WILL work and not something that just shows a false promise!

    In the meantime, perhaps the education half of your solution just isn’t working as well as it should?

  8. Phishing Warning Concerning Apple | Mac Tricks And Tips Saturday, July 5, 2008

    [...] to trick users into given there personal banking information away. For course its a scam. I thank The Apple Blog and Malware Blog for bringing this to my [...]

  9. Anonymous Coward Saturday, July 5, 2008

    Wikipedia (http://en.wikipedia.org/wiki/Extended_Validation_Certificate) has some basic information on the EV process as well as commentary on its usefulness. Yes, it’s not perfect but it seems that the industry as a whole is struggling to find an effective solution. The InformationCard model that I pointed out earlier has a number of benefits that show how to move beyond existing, weak, username/password solutions and some implementations take care to note “you have not visited this site before”. There’s even an implementation for OS X. Right now, it seems to be all about “raising the bar”.

    As for “your solution just isn’t working”, I’m not sure why this is “my” solution. You advocated the need for users to be aware that e-mail that leads directly to a site that requests personal information is bad, clearly your dissemination of this key piece of data isn’t working either ;-)

    BTW, I wonder if you assume that I’m trolling. That’s not the case. I use a selection of different hardware and software from multiple vendors with Mac’s being my families primary machines. The point here is that Apple is going to be the next target, as a result of its success it is now economically worthwhile for phishers to hit Apple users and phishing against the Apple store itself is a great example of that.

  10. Appleníaco » Pishers usam site parecido com a Apple Store para roubar informações Saturday, July 5, 2008

    [...] Fonte: The Apple Blog [...]

Comments have been disabled for this post