Apple iTunes Used In Massive Phishing Attack

Emails with fake e-commerce receipts trick users into installing Zeus financial malware, giving up credit card details.

Strategic Security Survey: Global Threat, Local Pain
(click for larger image and for full photo gallery)
Hackers gunning for credit cards have turned to spoofing iTunes receipts in a bid to trick email recipients into installing Zeus (aka Zbot) financial malware, which is designed to steal passwords and financial website access credentials.

"Victims receive a cleverly crafted email informing them that they have made an expensive purchase on iTunes," according to antimalware security firm PandaLabs. "The user, having never made the purchase to begin with, is concerned by the email and naturally tries to resolve the problem -- in this case by clicking on the proffered (fake) link."

The link leads to a malicious website which attempts to install a bogus PDF reader. If successful, multiple malicious files get downloaded and installed from a website based in Russia, then the user is redirected to a malicious website containing the Zeus Trojan.

PandaLabs said it reported the attack to the Anti-Phishing Working Group, which has begun efforts to block some of the websites being used in the attack. Interestingly, this exploit is similar to the recent LinkedIn attack that also used emails to spread Zeus malware.

The advice from security experts is to beware emails bearing links from any business-related service. "When using services such as iTunes, it is absolutely crucial that users never go to the website via email, but rather from the platform itself where they can verify their account status," said Luis Corrons, technical director of PandaLabs, in a statement.

For this particular attack, breaking out the calculator might help too. Indeed, one of the spoofed receipts lists an order total of $895.99, but neither the unit price, subtotal or order total add up. Close reading also reveals that the order was paid using "store credit."

Unfortunately, such phishing attacks often succeed because -- rather than in spite -- of their simplicity. "The techniques used to trick victims continue to be so simple, but the design and content is so very well-orchestrated. It's very easy to fall into the trap," he said.

The attack is also a reminder that even with last week's global bust of a Zeus cybercrime ring, Zeus-related attacks persist in force.

Peter Coogan, an analyst at Symantec, said, "it would be difficult to put a true figure on the amount of cybercriminal gangs or individuals that exist today and use the Zeus toolkit for illegal activity, but it could easily be as many as 100 or more." Indeed, the company recently found 156 Zeus-related command-and-control servers currently in operation.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Terry White, Associate Chief Analyst, Omdia
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer