News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • A very crafty phishin/social engineering by email to Appple users.

    Posted on OscarCP Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories A very crafty phishin/social engineering by email to Appple users.

    • Author
      Posts
      • OscarCP
        AskWoody Plus

        I am posting this here as a warning to other Mac device users, because it is about a most well-crafted attempt at fooling users of such devices (a Laptop, in my case), one so well done that it had me wondering for a while if it was for real or not.

        Today I received in my Mac this very carefully put together and realistic looking email from “Apple”. Further inspection of the full headers of the message has convinced me this email is a malignant fake, the vehicle of an attempt at phishing/social engineering.

        The email purports to warn me about, according to its text, the unlikely purchase of an application at the Apple store made at my account from a device not registered there (an iPhone, something I do not have.) It recommended using the attached file to request the cancelling of the charge, if I had not asked for the purchased item.

        This is the most realistic attempt at fooling people of this kind I have ever seen. There were two giveaways: a possible one was the fact that no charges have been posted (yet) to any of my credit cards, but that might come later. A more likely one was the instruction to open an attached file to file a request that the charge be cancelled, if I did not make the dubious purchase. I have not even looked at the file, in case that opening might trigger an attack or import malware.

        The email in question showed up in the “Junk” folder of the Mac’s “Mail” client. Further inspection of the full headers with it revealed that the message originated from an address that was described in the “full headers” as follows:

        Received-Spf: ⁨none (domain of montrystore-7.com does not designate permitted sender hosts)⁩

        According to Wkipedia, “Received Spf” means the following:

        SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized”  So this permission was not given to my mail client by the sender, which is very suspicious.

        The sender’s address itself was one at “montrystore-7”, not at Apple.

        The most relevant part of the text was as follows. (I have copied it, first, to a text file and now am adding that copy here to show how convincing the email could be):

        Dear Customer,

        Your Apple ID, has just been used to purchase PUG MOBILE from the Apple store, on a computer or a device that has never been associated with that Apple ID.

        Date: Monday, June 1 2020
        Browser: Google Chrome
        Operating System: iOS

        If you did not make this purchase or if you believe an unauthorized person has accessed
        your account, Please find the attached document to cancel your purchase without delay.

        Apple ID

        Apple ID|Support|Privacy Policy
        Copyright © 2020 One Apple Park Way, Cupertino, CA 95014, United States All rights reserved.

        It also includes, not only the black apple symbol in the right places, but also even a link to put a request to discontinue receiving this kind of messages and everything else one would expect to find in a legitimate commercial message.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • This topic was modified 1 month, 1 week ago by OscarCP.
        3 users thanked author for this post.
      • #2268601 Reply
        Paul T
        AskWoody MVP

        Is the attached document clean? Did you check?

        cheers, Paul

        • #2268603 Reply
          OscarCP
          AskWoody Plus

          If you are asking about the text reproduced in my previous comment, it is not the original, but a copy of the original message that I typed myself with my own two hands into a text file. So it is as clean as something like that can be.

          If the question is about the document attached to the letter: no I have not checked it, because I did not want to take any chances. And I have already deleted the message. It was most likely put in the Junk folder by the mail client in my Mac for a good reason, as the sender did not allowed to have the message’s origin validated. If, unlikely as this might seem, it turned out to be a legitimate email from Apple after all, I’ll find out this in due course and, at worst, I’ll be then poorer by a few tens of bucks. Not the worst possible outcome imaginable, in this case.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • This reply was modified 1 month, 1 week ago by OscarCP.
      • #2268628 Reply
        Paul T
        AskWoody MVP

        Saving the attachment and then uploading it to VirusTotal would have been simple, safe and have given us more information about this spam.

        cheers, Paul

        2 users thanked author for this post.
        • #2268903 Reply
          OscarCP
          AskWoody Plus

          Thanks for the implied advice. I have no idea of what is “Virus Total”. Never heard of it until now.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • #2268919 Reply
            Zig
            AskWoody Plus

            Virus Total is a website/program that runs suspect files through MULTIPLE antivirus checkers, in case a given program misses the problem. You could look it up inn your Funk & Wagnalls.

            Zig

            • #2268928 Reply
              OscarCP
              AskWoody Plus

              Thanks, Zip. According to my Funk & Wagnalls, it might be a different kind of file, itself not a vector of  malware, so making antivirus scans would not be helpful, but containing the link to a phishing site loaded with viruses, Trojan horses, worms, etc. Or opening the email (I looked at it and its headers in the preview panel) in order to examine this file, might trigger a message being sent back to whoever sent it in the first place, to let them know that my email address has a living, breathing user they might not be wasting their time trying to take advantage of: me. While I could not vouch for that being true, neither was I about to start experimenting with this mail. As Fred’s slogan goes: “The fact you are paranoid does not mean they are not out to get you.”

              Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

              • This reply was modified 1 month, 1 week ago by OscarCP.
      • #2268638 Reply
        Myst
        AskWoody Plus

        First clue is, when you make a purchase from the Apple Store they should send you a receipt to the registered email associated with your Apple account. It seems highly unlikely this purchase would ever happen without your knowledge if you have two-factor identification set up, and don’t share your password or any secured info with anyone, you being the sole keeper stored in a safe place. Maybe I’m being naive but yeah, this sounds like spam. And if Apple suspects any unauthorized activity I would expect them to tell you to contact Apple Support at their legitimate number, with possibly a one time code for the inquiry.

        Win7 SP1 Home x64, MacOS / Chromebook

        • #2268904 Reply
          OscarCP
          AskWoody Plus

          Myst: “And if Apple suspects any unauthorized activity I would expect them to tell you to contact Apple Support at their legitimate number, with possibly a one time code for the inquiry.”

          I think that is exactly right. Thanks.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          1 user thanked author for this post.
      • #2268955 Reply
        mngerhold
        AskWoody Lounger

        I looked at it and its headers in the preview panel

        I’m not a Mac user, but is the preview pane any safer than opening the email ‘normally’?  I don’t think it is in my Outlook on Windows.

      • #2268989 Reply
        Paul T
        AskWoody MVP

        Looking at headers is fine, no external links are loaded.

        Most email clients have an option to not load external links and anything in spam/junk never has external links loaded.

        cheers, Paul

        1 user thanked author for this post.
      • #2269175 Reply
        WSakjudge
        AskWoody Lounger

        Got the same email. For the h*** of it, I activated a sandbox, then clicked on the link “to cancel the charge”. Malware Bytes (Premium) blocked the site before I could even log on to see what the site tried to do….

        1 user thanked author for this post.
    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: A very crafty phishin/social engineering by email to Appple users.

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.