A “vast phishing attack” attempting to capture credit card information of Apple customers launched Christmas day, according to a report from Mac security software company Intego.
The attack was an attempt to fool Apple customers into clicking on a link to update the billing information of their Apple accounts.
If you click on the link in the message, the user will go to a realistic looking sign-in page, then, after entering the Apple ID and password, the user will go to a page asking you to update your account profile, notably entering your credit card information. Like the others, this page looks realistic, and many of the elements it contains actually come from Apple’s own web pages.
The messages sent out have the subject “Apple update your Billing Information” from a spoofed email address of “firstname.lastname@example.org,” though of course future emails from the same source might vary somewhat, Intego said.
If you hover the mouse over the hyperlink in the (impressively forged) email address, you’ll see a floating box that reveals the real destination of that link: the telltale chain of four numbers that specifies a numeric IP address, rather than a link to somewhere within the apple.com domain. “If it’s not something.apple.com (it could be www.apple.com, store.apple.com, or something else), then it’s bogus,” Intego said.
In addition to hovering your cursor over any links before you click on them, another way to stay secure is to enter links yourself in your browser rather than click on them in emails. If you type store.apple.com into your browser, you know it’s a legitimate site. If you’re using Safari any secure connection to Apple (i.e., any URL beginning with https: rather than http:) will show a green verification item in the top right corner of the address bar. (There are similar indications in other browsers.) And no legitimate site will ask for personal information, especially of the credit-card variety, without using a secure connection.
This isn’t the first such scam posing as an email from Apple. In a less sophisticated attack earlier this month, a fake MobileMe message requested users send an email containing their username and password.