Blog Post

Phishing Scam: Apple Store

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Trend Micro, the antivirus company, has a Malware Blog where they track all the bad stuff that can happen to your computer. Although the screenshots come from Windows machines, they did have one up this week that showed the Apple Store. Sneaky (and smart) phishers are sending emails that say there is a problem with your billing, and they weren’t able to process the payment. Pretty sneaky considering there are likely a lot of people who have just purchased a 3G iPhone. Very smart timing, if you ask me.

The email takes the user to an Apple look alike site that asks for the “user’s credit card type, credit card number, expiration date, security code, billing address and social security number.” In addition to the grief that comes with having your identity stolen, this info could give the phishers full access to all purchases that can be made from Apple: hardware, software, iTunes account, and iPhoto products.

This is one of the drawbacks of Apple’s great success. Unix is pretty solid and secure, but people have never put much effort into attacking Macs because of the economies of scale. Now that Macs are becoming more popular, we will likely see more malware attempts aimed at Apple hardware, software, and customers. Hopefully, it won’t ever get as bad as it is on any PC.

Don’t click on those links in emails. Go to the site directly. Be sure to check and make sure it is a secure website you are using. You can tell because it will start with https:// or have a lock in the status bar (not in Safari).

16 Responses to “Phishing Scam: Apple Store”

  1. Briana

    Enjoy surfing the internet for hours at a time.
    If you’re anything like me then you enjoy surfing the internet for hours at a time. There is so much information available I just seem to get wrapped up in it all. Of course, this means picking up bugs that can literally ruin my computer and cause it to run too slow. To take care of my PC I’ve been searching for a good scan to keep it bug free. I tried many different ones but I like Orbasoft Antispyware the best. With the antispyware solution from Orbasoft ( I get one of the best scans I’ve ever used at a great low price. This is exactly what I’ve been searching for.

  2. If you hold the cursor over the link in Mail, a pop-up box will appear with the correct address. Anything that is odd about the web address will be readily apparent. In the billing phish you get: Most people should quickly recognise that the address is fake and you are being phished.

  3. rwahrens

    “…the industry as a whole is struggling to find an effective solution.”

    I believe that this is really my point. To make the statement that Apple itself needs to step up to the plate is to be a bit shortsighted.

    With a user base of over twenty-five million users, many of whom are obviously well enough off to afford the more expensive high end Apple units, to say that Apple has not till now been an economic target is also shortsighted. Since the vulnerabilities in Windows are well known, and it is also well known that millions of them are never updated, THAT is why Apple is not targeted, combined with the fact that to work out ways to target them as bots is harder than to just use what works and won’t take additional work.

    Phishing works, and does not target a particular platform, all it takes is someone unaware of the dangers. that is why it is used, and won’t go away until folks get the message.

    “…clearly your dissemination of this key piece of data isn’t working either.” It isn’t MY dissemination, any more than you claim the other solution. Obviously, the INDUSTRY hasn’t figured this out either, but they damn well should.

  4. Anonymous Coward

    Wikipedia ( has some basic information on the EV process as well as commentary on its usefulness. Yes, it’s not perfect but it seems that the industry as a whole is struggling to find an effective solution. The InformationCard model that I pointed out earlier has a number of benefits that show how to move beyond existing, weak, username/password solutions and some implementations take care to note “you have not visited this site before”. There’s even an implementation for OS X. Right now, it seems to be all about “raising the bar”.

    As for “your solution just isn’t working”, I’m not sure why this is “my” solution. You advocated the need for users to be aware that e-mail that leads directly to a site that requests personal information is bad, clearly your dissemination of this key piece of data isn’t working either ;-)

    BTW, I wonder if you assume that I’m trolling. That’s not the case. I use a selection of different hardware and software from multiple vendors with Mac’s being my families primary machines. The point here is that Apple is going to be the next target, as a result of its success it is now economically worthwhile for phishers to hit Apple users and phishing against the Apple store itself is a great example of that.

  5. rwahrens

    No, those certificates are next to useless, they can be faked, and have been shown to have been. Then, where are you?

    I agree that OS manufacturers should step up, but then, perhaps, they should step up with something that WILL work and not something that just shows a false promise!

    In the meantime, perhaps the education half of your solution just isn’t working as well as it should?

  6. “this info could give the phishers full access to all purchases that can be made from Apple: hardware, software, iTunes account, and iPhoto products.”

    Umm… if they have your credit card info and SSN, they can buy anything from anywhere… not just Apple. I know this is “The Apple Blog” and all, but they’re not the only company that accepts credit cards for payment.

  7. Anonymous Coward

    Re: colored bars from rwahrens. I absolutely agree that the colored bars are not a silver bullet solution. Similarly user education alone is also not a silver bullet – we’ve been trying that one for years and people are still caught by phishers and still responding to Nigerian e-mails. The solution involves both the application of technology *and* user education and, in this case, there’s absolutely no reason for Apple to not step up and do more in their browser to enable the use of EV certificates and provide greater feedback to users to help trigger them to think a little more before entering their personal data on a rogue site.

    Over time, assuming that the adoption of Apple hardware+software continues to rise, it’s just not going to be sufficient for Apple to try to rely on claims that *nix is just more secure, they are going to have to work on the problems proactively. Remember a recent browser hacking contest? First to fall…Apple, it took a lot more time to take down Vista and Linux didn’t break. With increased popularity comes increased responsibility.

  8. rwahrens

    No, those colored bars really don’t give you as much comfort as you think. They, too can be fooled.

    There is NOTHING like being aware that NOBODY sends an email to their customers with a link to follow where you are asked for personal information. One should ALWAYS go to your vendor’s site using your own bookmarks, or better yet, just calling them to settle any possible problems.

    That is a cross platform issue, and is not unique to Macs or PCs.

  9. I think the posters claim that many would have recently purchased an iPhone 3G is a little off since it is not available for sale on the internet. Also it’s iPhone 3G, not 3G iPhone. Naming is very important.

  10. Anonymous Coward

    Apple needs to step up and improve the support for EV SSL certificates in Safari- this is what eBay/Paypal have been complaining about recently. Both IE7 and FF have this and, in IE7, the green address bar or dark red one give clear signals to the user regarding the state of the connection to the site. I’d like to see browsers start linking their password stores to not just the site URL but also the site certificate as this would give another indication that the user hasn’t visited the site before. There’s also a lot of work going with “Information Cards”, both from Microsoft and the open community, it’d be great to see Apple engage in that.