Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Phishing the Apple Store

Created: 27 Sep 2010 19:17:21 GMT • Updated: 23 Jan 2014 18:24:50 GMT • Translations available: 日本語
Mathew Maniyara's picture
0 0 Votes
Login to vote

In September 2010, Symantec observed a phishing Web site that spoofed the Apple brand by mimicking the “My Apple” Web site of the Apple Store. The legitimate Apple Store Web site provides customers with latest Apple news, software updates, and information on Apple products and services.

The phishing site prompted customers to update their profile information , purportedly so that they may continue to receive updates and news from Apple. The heading of the page stated “Complete the fields below, then click the Continue button to save”. The sensitive information requested was the Apple ID, password, customer’s name, credit card CVV number, and contact details. After the required information was entered and the “Continue” button was clicked, the phishing site returned an error message stating “Your session has timed out after a period of inactivity. Please return to the Store Menu to continue shopping”. The phishing site then redirected the victim to the legitimate Apple Store Web site which created the illusion that a common error had occurred. This way, the victim may not notice that the information had already been given to the phishing site; the fraudster would have successfully stolen their information for financial gain.

The phishing site was hosted on a free Web-hosting site located on servers based in Canada. Although the domain name was a free Web-hosting domain, the phishing URL may appear to be legitimate at first glance due to the use of certain keywords that make the phishing URL resemble the legitimate URL. Below is an example:

hxxp://store.apple.*****.com/5.0.16.9.5.7.1.5.1.htm?store.apple.com [Domain name removed]

 

Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:

•    Do not click on suspicious links in email messages.

•    Check the URL of the website and make sure that it belongs to the brand.

•    Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Thank you to the co-author of this blog, Ravish Bagul.