Phishing scam dupes hundreds of MobileMe users
Security firm finds hacker stash, traces victims to MobileMe billing ruse
Computerworld - A recent phishing scam targeting users of Apple Inc.'s .Mac and MobileMe online services has successfully duped hundreds into divulging credit card and other personal information, a security company said today.
According to Dan Clements, president of CardCops Inc., an identity protection service of Trumbull, Conn.-based Affinion Group Inc., the phishing campaign scammed between 100 and 200 people with mac.com addresses in just one day.
CardCops, which uses automated bots and human investigators to scour the Internet's underbelly -- the chat rooms, sites and message forums frequented by cybercriminals -- uncovered a stash of records on a server that hackers use to house stolen information.
"We found 20 different files parked on the server," said Clements, "each file with two or three or four, up to 20, profiles." Computerworld, which was allowed to view the profiles, verified that the records, or "full profiles" as Clements dubbed them, included full names, mailing addresses, credit card numbers, card security numbers, birth dates, mother's maiden names, and e-mail addresses and passwords.
"Cumulatively, there were about 300 profiles collected in that one day," Clements said. "And 100 to 200 were mac.com addresses."
After some additional investigation -- which included calling many of the victims to verify that they'd fallen for the ploy -- CardCops pieced together the crime. "We realized that it was a phishing attack, of course, but also that these phishers timed it with an Apple event."
Clements referred to the recent migration Apple conducted for subscribers of its older .Mac online service to MobileMe, the successor that launched just over a month ago. "It looks like that raised the conversion rate of their captures," he added, explaining the phishers' success rate in tricking people into giving up credit card and other confidential information.
Earlier this week, Macworld, a Computerworld sister publication, reported a phishing attack using messages masquerading as Apple's to ask MobileMe users to re-enter their credit card information because of a billing problem.
The message was convincing. "Some of the users who we talked to were very sophisticated users. But they still fell for this attack," said Clements.
Researchers at Trend Micro Inc. agreed that the attack was slick. In a blog post Tuesday, Trend's Jovi Umawing said the message "looks clean and sleek, the text courteous and professional, hardly the kind that instantly gives away [it] away as a fake or scam." He also noted that some of the links in the bogus mail actually lead to legitimate Apple pages.
Clements pinned some of the responsibility on users' trust in Apple. "Absolutely the case," he said when asked if Apple customers' faith in the company was a factor in getting so many to divulge information.
The MobileMe scam wasn't the first time that phishers have used the Apple brand to fake out consumers. In May, criminals hit iTunes users with sophisticated identity theft attacks, again claiming that credit card problems required them to re-enter information to update their accounts.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts