A cautionary note for anyone who receives an e-mail from Apple informing them they need to update their billing information — it’s a scam. This morning, I almost fell for it because it looked pretty darn good — but there’s always signs underneath the surface of the e-mail that I look for. Continue reading to see the details.
To cut to the chase, here is what the e-mail looks like:
(In the body, it’s an advertisement for Apple’s MobileMe service, and below that, the phishing attempt happens)
We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?
To ensure that your service is not interrupted, please update your billing information today by clicking here [Link removed], After a few clicks, just verify the information you entered is correct.
Personally, I’ve become accustomed to receiving advertising from Apple and this e-mail appeared to have many of the same characteristics of their other e-mails. Just below the marketing (the point which exploits my trust), is the call to action to update my account. One sign this was obviously a fake was the fact I don’t subscribe to the MobileMe service, in addition to the lack of personalization of it. Ironically, they did manage to send their e-mail to an account I did use with iTunes, but that could merely be coincidental.
To be safe, I examined the headers, and confirmed my suspicions that it was indeed a fake. In Mozilla Thunderbird, you can press CTRL + U to view the headers. Here is an excerpt:
Received: from rly-me08.mx.aol.com (rly-me08.mail.aol.com [172.20.83.42]) by air-me07.mail.aol.com (v121_r2.12) with ESMTP id MAILINME071-9cd48e08b60f5; Mon, 29 Sep 2008 04:02:01 -0400 Received: from mercury.mindspring.co.za (mercury.mindspring.co.za [220.127.116.11]) by rly-me08.mx.aol.com (v121_r2.11) with ESMTP id MAILRELAYINME081-9cd48e08b60f5; Mon, 29 Sep 2008 04:01:41 -0400 Received: from User (unknown [18.104.22.168]) (Authenticated sender: test) by mercury.mindspring.co.za (Postfix) with ESMTP id 4F0F5488474; Mon, 29 Sep 2008 10:01:05 +0200 (SAST)
In the red-colored text above is the source of this e-mail. I know that Apple isn’t based out of South Africa (.za) nor are they going to relay mail, which is what this phisher did. Likely, the relayed the mail through a compromised host in an effort to conceal their identification. A quick check on the IP Address, provided by DNSStuff, informs me that the actual sender was based out of Macedonia.
Adding up all these pieces, I conclude this is a fake and I hope I helped you realize the same. In the event any company e-mails you that your contact information is outdated and requests you to update it, go directly to the trusted site and navigate to your billing. For Apple, that is using iTunes and clicking on your iTunes Account button located along the upper right corner of the iTunes Store or manage your Apple account by accessing https://myinfo.apple.com/, which is advised by Apple’s knowledge base.
Please share this with your friends and peers who use Apple, so they can also protect themselves.