Daniel Eran Dilger
Random header image... Refresh for more!

New phishing scam targets MobileMe users

200902282008
Prince McLean, AppleInsider

In another attempt to con MobileMe users into providing their credit card information, a scammer has sent out spam spoofed to appear to come from Apple, which directs users to a fake site designed to look like Apple’s. Users who follow the email link and enter their information on the poorly formatted, fake Apple web page will be sorry.

New phishing scam targets MobileMe users
.
The phony email

While sent with a spoofed sender address of noreply@me.com, the spam’s headers indicate that it actually appears to originate from gamma.oxyhosts.com, a server operated by a web hosting outfit from the UK. The email contains formatting errors that should immediately tip off users, and directs to a sketchy URL: http.apple-billing.me.uk. The email’s headers that indicate it was sent using Outlook Express, but those are only visible when the user examines the phony email’s raw headers.

Of course, Apple itself has also sent out official MobileMe notices containing the same formatting error (below). Apple also doesn’t sign or encrypt its official emails to users, a step that might help in thwarting the regular phishing attempts that target MobileMe users. While Apple pioneered certificate based security in iChat messaging for its MobileMe users, it has been a laggard in making it easy for users to sign and encrypt their MobileMe email using certificates issued by Apple, despite support in Mail and most other modern email clients to handle this.

iPhone

The significant difference in the real message from Apple over the phony spam is that Apple’s official email cites the account’s User Name, the ending digits of their credit card number, and directs the user to navigate to MobileMe themselves to correct their information within the online account section, rather than providing a link to follow. Doing so would result in the user initiating a MobileMe web session secured via SSL before they are ever prompted to enter their private account information.

iPhone

The phony website

There is no SSL security on the fake site users are directed to by the spam (pictured below). The fraud site is hosted by me.uk, a domain not affiliated with Apple, but which might sound reasonably correct to many users. The domain appears to be registered to “Nike Jegart, co 9 Vista Estrella South, Lamy, NM 87540.”

Were the site to attempt to initiate an SSL connection, the EV (Extended Validation) phishing filters in most modern browsers might flag the site as suspicious, but that type of safeguard does nothing when no SSL session is even attempted. The formatting of the phony Apple Store page does raise some obvious red flags, but users shouldn’t expect spammers to continue to flub in their phishing efforts.

iPhone

As with any unsolicited email-based requests for identity or billing information, users should be cautious and suspicious. Verify that the browser has initiated an SSL connection and that the URL appears correct (although it can be easy to spoof the URL itself so that it appears to be legitimate). The best practice is to navigate to the billing site yourself rather than following an email-supplied link, even if the email appears to be legitimate.

In related news, Apple this week announced a number of improvements to MobileMe’s web applications, which were detailed on AppleInsider’s backpage blogs on Wednesday.

  • KathyLee

    The first year Apple created certs for .Mac users (2006 for me), it worked for both iChat AND email, but only to other .mac users. It was a great benefit to the subscription service. Worked perfectly in Mail.app. Encrypt and Digital Signature buttons automatically showed up in the Mail toolbar and were enabled whenever you started a new mail to another .mac user.

    However, at renewal time, the cert was changed to only work for iChat. The old cert (which showed expired in Keychain) was needed if you wanted to re-read your old encrypted emails.

    I filed a bug report and tried to get an answer on why the change of policy, but the only response I got was it was not a bug. Why would they have taken away encryption rights for email? The conspiracy theorist in me figures the US government didn’t want the wholesale adoption of users easily encrypting their emails…

  • Pingback: New phishing scam targets MobileMe users — RoughlyDrafted Magazine « The Schollnick Archives()

  • alansky

    There’s a sucker born every minute! Who would be fool enough to click a “login” link in an email message after all the publicity that this extremely obvious scam tactic has received in the news?

    This phishing scheme isn’t really targeting MobileMe users. It’s targeting morons!