New phishing scam targets Apple's iTunes users
updated 10:40 pm EDT, Tue May 20, 2008
Apple iTunes targetted
Apple's widely recognized iTunes is being used to lure users to a phishing scam that could allow hackers to obtain private credit card and personal information. The world's most popular music store is being used as part of a series of sophisticated identity theft attacks for the first time, a security company noted on Tuesday. The Computerworld report says that users began receiving spam email messages on Monday telling them that they must correct a problem with their iTunes account; however, the link leads to a third-party site masquerading as an iTunes billing update page: "that phony page asks for information including credit card number and security code, Social Security number and mother's maiden name," the report noted.
There have, however, been previous reports of "bogus" electronic iTunes certificates, scams targeting .Mac users with an email saying that Apple purportedly was unable to process their most recent payment, and phishing scams targeting Apple users, but Apple has not setup a specific email for users to report the problem, but provides some (very basic) information on Identifying phishing emails.
Phishing scams often target banks, where personal information can be used to steal a victim's identity and even take money from their accounts; however, the new scam is a new twist on the usual phishing attack, said Andrew Lochart, an executive with e-mail security vendor Proofpoint Inc. "We've gotten used to seeing the usual companies and brands attacked," he said, "like PayPal, eBay and Citibank. But we've never seen Apple as the target."
Lochart said the phishing campaign is likely being used because of its popularity and reach among users -- "that the bad guys see Apple's online presence as large enough to be a target." But he also noted that the demographics of iTunes users may also be part of the target.
"I wonder if the bad guys are thinking that [iTunes users] are younger than those for some of the other phished sites, like banks and eBay," he told the publication. "The way that teenagers and young adults use the Internet, they show a certain level of trust or openness when they post their name and age and school on MySpace."
