Saturday, 17 January 2015

In response to an increase in VAT in the EU and currency changes Apple Phishing

In response to an increase in VAT in the EU and currency changes Apple Phishing email is currently doing the rounds.

Lots of different From addresses and Subjects, a few of them shown here:

Sample Message headers:
Subject: Account deactivated - action required
Subject: Account information expired
Subject: Account information update required
Subject: Account temporarily suspended - action required
Subject: Account verification failed
Subject: Account verification required
Subject: Apple account verification required
Subject: Apple account verrification failed
Subject: Apple billing information expired
Subject: Apple verification failed
Subject: Billing information expired
Subject: Billing information update required
Subject: iCloud Account verification failed
Subject: iCloud Billing information expired
Subject: iTunes Account verification required
Subject: iTunes billing information expired
Subject: Please confirm your account details
Subject: Please confirm your billing details
Subject: Please update your account details
Subject: Please update your account information
Subject: Your account information needs to be updated
Subject: Your Apple account requires verification
From: "Apple Co"
From: "Apple Ltd"
From: "Apple Org"
From: "Apple SarL"
From: "Apple support"
From: "AppleID Support"
From: "Your Apple support"

Sample Message body:
Dear Customer
We are contacting today with regard to the device(s) linked to your iTunes account.

In response to an increase in VAT in the EU and currency changes, Auto-renewing subscriptions within Apps from the Apple Store have all been cancelled, as a result of last week?s VAT-related price change.

Such auto-renewals allow users to subscribe to in-app purchases through a recurring payment.

It has come to our attention that payment for one or more recent purchases from the Apple store has not yet been fulfilled.

The following product(s) require an active billing method to be present in order to be used;

Item: NAME.OF.APP-V1.19.91
Date of Purchase: 17 Jan 2015

We require Apple ID users to have an active billing method present on their account in the event that any purchases and / or subscriptions can be fulfilled accordingly.
In order to continue using your favourite applications and to prevent your iTunes account being suspended, please click here to validate your Apple ID.

This procedure must be completed within 24 hours.

The above email links take you to a fake phishing site:
http://srv2-direct.com/adsl/fray/8734274APP37429956/
The fake phishing site above looks like this:
The fake phishing site will also ask you to hand over your credit card details too....

One the same url as the Apple phishing link, the hackers have created three other folders,
two for a Netflix phish and one for Apple phishing:
http://srv2-direct.com/adsl/fray

directory 448945121544849451                  17-Jan-2015 11:45        -       
directory 48456815615514                      17-Jan-2015 11:46        -       
directory 8734274APP37429956                  17-Jan-2015 11:46        -       
unknown LONGER NUMBER IS OLD REDIRECT SH... 15-Jan-2015 12:31       0k       
These sites redirect all to:
http://en.netfilx.com-usrauth-subscribe286s9f8w.server169188.de/
Which then hosts the Apple and Netflix phishing pages, on the same hosst.

Cheers,

Steve
Sanesecurity.com

No comments: