Recently, we came across a phishing attack targeting Australian Apple Store customers. The phishing scam claims to offer a $AU100 Apple Store credit when buying a $9 Australian Dollar Apple discount card. Does it sound legit or too good to be true?
There are obvious signs that tell you right away that this is a phishing scam. First, the English is not quite right. Second, in order to buy the discount card, the user needs to open an attached HTML form and fill it out with sensitive personal information and credit card details. That's not all, the form also asks for your credit card limit and Visa/MasterCard SecureCode password, really??
We examined the HTML phishing form and investigated the website where the data was sent when clicking the submit button. The webserver (specifically hosting a blog which probably was hacked) has directory listing enabled. We found 2 new files related to the phishing scam, the phisher's PHP script file and a .Txt file that contains the phished data.
Based on the language used in the log, there is a hint that a Romanian phisher is possibly behind this campaign. Unfortunately, there were also a handful of victims' data found in the log.
For the record, Apple is not in the habit of attaching HTML forms to emails and then asking you to enter sensitive data. But despite all the suspicious signs found in this email, many on-line users were still lured.
Again we say, be particularly leery of any HTML email attachment requiring you to enter sensitive information.
Note: We have informed the owner of the hacked website about this. One of the comments in the blog raised his concern. Tut tut indeed!
The blog owner seems to be aware and posted this: