Macworld - A "vast phishing attack" that attempts to capture the credit card information of Apple customers was launched on Christmas day, according to a report from Mac security-software company Intego.
In a posting on its Mac Security blog, Intego says that the attack is an attempt to fool Apple customers into clicking on a link under the guise of updating the billing information of their Apple accounts.
If you click on the link in the message, you will be taken to a realistic looking sign-in page, then, after entering your Apple ID and password, you'll be taken to a page asking you to update your account profile, notably entering your credit card information. Again, this page looks realistic, and many of the elements it contains are taken from Apple's own webpages.
Intego reports that the messages are being sent with the subject "Apple update your Billing Information" from a spoofed email address of "email@example.com," though of course future emails from the same source might vary somewhat.
If you hover your mouse over the hyperlink in the (impressively forged) email address, you'll see a floating box that reveals the real destination of that link: the telltale chain of four numbers that specifies a numeric IP address, rather than a link to somewhere within the apple.com domain. As Intego rightly points out, "if it's not something.apple.com (it could be www.apple.com, store.apple.com, or something else), then it's bogus."
In addition to hovering your cursor over any links before you click on them, another way to stay secure is to enter links yourself in your browser rather than click on them in emails. If you type store.apple.com into your browser, you know it's a legitimate site. If you're using Safari any secure connection to Apple (i.e., any URL beginning with https: rather than http:) will show a green verification item in the top right corner of the address bar. (There are similar indications in other browsers.) And no legitimate site will ask for personal information, especially of the credit-card variety, without using a secure connection.
This isn't the first such scam posing as an email from Apple recently. In a less sophisticated attack earlier this month, a fake MobileMe message requested that users send an email containing their username and password.
In general, you should be skeptical about any email messages, however legitimate they appear to be, that ask you to go to a website or compose an email containing personal data.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts