Over at Netcraft — the Internet services company that provides data mining, fraud and phishing defense, and security testing — an employee discovered a notable phishing scam targeting iTunes users, hosted on Honda’s website.
The employee, Nicholas Hatter, reached out to share his findings.
The scam appears to have affected Honda’s Brazilian site: an HTTPS page with an SSL certificate redirected visitors to a fake page designed to replicate iTunes Connect.
Unsuspecting users who entered their credentials on the counterfeit page had their details stolen. Those credentials could be used for unauthorized purchases, and collected email addresses might be sold or used for further spam or phishing campaigns.
It’s important to emphasize that Honda was likely unaware of the fraudulent content hosted on its site; the company’s domain was probably used as a front to lend credibility to the scam. How many users were deceived remains unclear.
After Netcraft reported the issue, the fraudulent page was taken down.
Phishing targeting iTunes users is not new. Apple maintains guidance for users on recognizing phishing and distinguishing legitimate emails from the iTunes Store. Two Apple support pages address these concerns: one on identifying fraudulent “phishing” email and another on recognizing authentic iTunes Store messages.
Many accounts of such attacks tend to blame victims for falling prey, but the reality is that some scams are deceptively simple and can fool anyone.
For example, one common email scam notifies a recipient of an implausibly large iTunes charge — say, $692.99 for an album — to trigger panic. The email includes a link to “review” the order; when clicked, the link can install malware or Trojans that capture login credentials and other sensitive information.
Luis Corrons, Technical Director of PandaLabs, noted: “It never ceases to surprise us that the techniques used to trick victims continue to be so simple.”
In the Mercury News, Valerie Gould recounts being charged more than $650 in PayPal iTunes transactions and urges everyone to monitor their account statements closely.
Are companies like Apple doing everything they can to prevent fraudulent transactions, or does the burden fall on educating consumers? The answer likely involves both stronger preventive measures from service providers and continued user awareness and vigilance.