iTunes Users Become Phishing Targets

by Eric March on May 29, 2008 at 6:48 pm

Since we’re on the subject of security, phishing has taken a new tack recently. It seems that phishers are now targeting iTunes users in attempts to steal their personal information.

The scam this time around attempts to convince users that there is a problem with their iTunes billing information, and directs them to a fake Apple page that asks to update their particulars, including credit card information with the security code, social security number, and security question, such as your mother’s maiden name.

The idea behind targeting iTunes is thought to be due to the perception of the generally younger demographic that it appeals to; scammers evidently feel that more of the younger crowd use iTunes, and being younger they are likely to be more naïve and trusting than experienced folks, and therefore more likely to fall for it.

Scams like this are nothing new; eBay and PayPal have both been very common targets for this sort of phishing scam, to say nothing of various banks. This is the first time a consumer application has been targeted however.

The scam is not very sophisticated however. No real attempt has been made to obfuscate the link URL, which doesn’t look a thing like a real Apple URL to anyone who’s paying the slightest bit of attention. Nevertheless, the teens and young adults who are the most likely to get hooked by this may not think to pay attention to something like that, so it is always a good idea to exercise caution when dealing with any E-Mails purporting to be from a large company. As a reminder, here are some basic precautions to take with E-Mails of any sort:

- Do not click links in an E-Mail unless they are from a trusted, verified source.

- Always check the URL of a link in an E-Mail, even if it’s from a trusted, verified source. If it does not appear to be pointing to where it says it’s supposed to be going, do not click it. Do not be fooled by legit-looking URLs. One of the most common ways of attempting to look like a real company page is to make their URL a subdomain of the scammer’s own. (i.e. “http://www.ebay.com-fakeurl.info” — note the dash after “.com”. The dash, and whatever comes after it, is part of the domain name, which makes “www.ebay” a subdomain of “http://com-fakeurl.info”)

- If a company has an issue with your account, go to that company’s website manually and log in yourself. If the problem is real, it will likely notify you of such once you log in.

- Even if you do click a link, check your browser’s status or URL bar to make sure that the page you are logging into is secure (usually represented by a lock icon). If it is not, do not log in. Real companies would never have unsecured account pages.

- Look for spelling and grammatical errors. You can be pretty sure that any big company is going to have their form mails proofread for mistakes, just as you can be pretty sure that it’s going to be worded properly. If the E-Mail looks like it was written poorly, you can almost guarantee that it is fake.

- Companies never store a credit card’s security code, and never ask unless you are making a purchase. That defeats the whole purpose of the code, which is there to make sure that you have the physical card with you by making you check it for the security code each time you use it.

- Likewise, companies will never ask for your social security number. There is absolutely nothing they would require it for, so there is no reason to ask.

- No company will ever send an unsolicited attachment no matter what the E-Mail says it’s for.

If, even after all of that, you are still in doubt, err on the side of caution and just avoid it or have someone in the know inspect it for you. It only takes one lapse in judgment to become a victim of identity theft.

(Source: Macworld, via TUAW)

Posted in iTunes Related