ESET Ireland has discovered a phishing email being sent to Irish iTunes users that may deceive them into thinking it’s official while it connects them to a fake iTunes Connect log-in site built to harvest their information.
Urban Schrott, IT security and cybercrime analyst with ESET Ireland, warns that the confidence iTunes users have in the Apple platform can work against them when it comes to social engineering, particularly phishing scams, wherein cyber-criminals build websites to look as much like official iTunes content as possible in order to collect users’ account details.
Using visual cues from Apple, the email that has been picked up by the IT security company gives the illusion of being from an official source. A link within the email redirects users to a website that several anti-virus vendors have associated with malware distribution. However, on first appearances, the site looks legitimate and requests that the user log in.
Example of the phishing email discovered by ESET Ireland. Image via Urban Schrott
As this site is built to harvest user data, users could enter any old thing and still be granted access – a quick test for users to try out on suspicious-looking sites.
The website users are directed to via the iTunes phishing email. Image via Urban Schrott
Once the ‘log in’ is complete, users are asked to confirm personal details, including their credit card number and security code – information Apple would never ask for via email.
The phishing webpage requesting users’ credit card information. Image via Urban Schrott
Anyone who believes they have been caught out by this scam is advised to change their log-in information immediately. If credit-card information has been handed over, Schrott advises the consumers to cancel the card in question and take steps to limit the potential damage that could result from exposing credit-card details.
Phishing image by Maxx-Studio via Shutterstock