The “iTunes virus” & why we fall for phishing scams
When are you more likely to click on a phishing e-mail & give up the goods to attackers?
Do you have the iTunes virus? You might think so if you received one of the warning e-mails going around.
“Dear Apple Customer: This is to inform you that a Virus has been detected in our iTunes database,” the message reads. You are in danger of “loosing” your account, it adds.
“This is the second time our admin is sending you this message and failure to re-validate your iTunes account upon receiving this message, will lead to permanent closing of your account within the next 72 hours,” the message continues.
Security researcher Bryan Campbell posted the e-mail on his Twitter account this week, with the tongue-in-cheek response, “A virus in my iTunes. Well damn.” His followers quickly noted the grammar and spelling issues. “You don’t want loose iTunes—they’ll be jiggling all over the place!” one wrote.
You may see through this scam, but the numbers show many people fall for phishing. The Verizon 2016 Data Breach Investigations Report said 13% of people tested not only opened a phishing e-mail but also clicked on a phishing attachment—an increase from previous years.
What makes you click?
Speed and small screens can lead to your downfall, experts say.
A phishing campaign hit the University of Otago in New Zealand in 2013. Mark Borrie, the university’s information security manager, analyzed the results in the aftermath.
He found that people were more likely to fall for the scam when they using their mobile devices and were checking e-mail while doing other tasks.
“Most users got caught out when they were busy—late at night or first thing in the morning—or when using a small screen—phone or tablet,” Borrie told Archer News.
The attack on the university was a spearphishing attack—targeted at university staff, whereas the scams like the “iTunes virus” phish are sent out to as many people as possible.
“For staff, we found part time staff were more susceptible as they were less familiar with normal processes,” he said.
But he gives the same advice to protect you from any kind of phishing.
“Generally, do not respond to e-mails on mobile devices,” Borrie said.
“A split-second mistake”
Jane Corbin was working at high speed when the phishing e-mail hit her inbox.
“Seven at night on the Friday before Christmas and I was rushing to meet a deadline,” she wrote in a post.
“Suddenly an alarming e-mail popped into my Yahoo mailbox from Yahoo itself, saying my account was about to be shut down unless I confirmed all my details with them,” she said. “It looked authentic—the graphics, the text, the disclaimer at the bottom were identical to the ones used by Yahoo—even some of the details about my account were accurate.”
She had less than an hour to finish a documentary, She was working on the script and the editing, talking with people overseas on phone and e-mail, and having conversations with people around her, she said.
“I panicked, distracted by all the activity around me, worried I would lose all the precious material in my e-mails. So I did what I never should have done,” she wrote. “I filled in all the boxes, including my password, and pressed the enter key. Within a minute my screen went blank, my electronic lifeline was severed and the nightmare began.”
“First of all, wait”
It can be tempting to take action right away. You get an e-mail, you respond, you delete it, problem solved. Next!
Many people who clicked on a phishing attachment did so in less than four minutes after receiving it, according to the 2016 Verizon Data Breach Investigations Report.
Add to that the fear factor—the threat that something bad will happen if you don’t follow through, a typical phishing tactic.
“Legitimate companies should not ask customers or users to take urgent, drastic actions so feel free to wait a day or three,” Borrie said. “If you really need to take action, they will re-contact you.”
And if you get an e-mail demanding urgent action?
“First of all, wait,” Borrie said.
“If the request to do something is real then there is plenty of time to respond,” he added. “This gives time for the person to check with friends and colleagues to see if the e-mail is real and for the person’s antivirus program to update if there are nasties in the e-mail.”
If you open it
In some cases, you can get malware by clicking on a link or attachment in a phishing e-mail. In other cases, the bad guys are out to get your valuable info, sending you to a site that looks legitimate and asks for things like your username and password.
“Most phishing sites will try and get the user to log in in order to get their creds,” Borrie said.
“NEVER click on a link in an e-mail that tells you to update your password or account information,” advised Patrick Coyle with Chemical Facility Security News.
“Instead, use the link that you would normally use to access that site and look for a notice or article about the problem described in the e-mail,” he said. “If it is not easy to find on the landing page for that site, the e-mail was almost certainly a scam.”
Scam, round two
If you click on the iTunes virus phishing link, it will take you to a fake iTunes log-in page, according to Graham Cluley in a post on WeLiveSecurity.
But if you put in your username and password, the scam is not over.
“Instead, it transfers you to a bogus ‘Update Billing’ page, which asks you to enter personal information and (no doubt) will ultimately lead to a request for you to enter your payment card details also,” Cluley wrote.
As Corbin found out, entering your payment info can lead to major headaches—she was left without cash or credit cards to buy Christmas gifts. She received a holiday bonus as well—the scammers used her e-mail account to send out an urgent message to almost a thousand of her contacts saying she was trapped din Spain and needed money.
“I am in a critical situation in Madrid,” the scam e-mail said, according to Corbin. “All my money got stolen in the hotel where I lodged due to a robbery incident. I want you to help me with a loan of 1,500 pounds.” Some of her contacts replied with a desire to help, asking where to send the money, she added. She, however, was locked out of her own account, as the scammers had changed her password to their own.
Decades back, “phishing” took a lot of work.
Coyle remembers magazine ads that promised you could earn money stuffing envelopes—$5 per envelope, send $5 for details.
He finally met a man running the scam who explained how it worked. When people sent him the $5, he sent them an envelope stuffed with his description of his “business” plan—place an ad, lure people in, stuff an envelope with your ”business” plan, send it off.
“That’s where the $5 per envelope claim came from,” Coyle said. “He figured that if he got 10 responses from each ad and one $5 bill per 10 responses, then he made money. He never made serious money, but he always had beer money coming in.”
Now, scammers are getting more than just beer money.
“In the Internet age with bot networks, the cost of running these scams is much smaller and the numbers of potential respondents is much higher,” Coyle said. “People running these types of scams can make money if as few as 1% of the bogus e-mails sent out get a response.”
Fighting off the iTunes virus
This will not be the last of the iTunes scams, nor the fake Facebook, LinkedIn, Paypal and more password reset demands.
“Apple will continue to be a target for these types of phishing attacks,” said Campbell, the researcher who received the e-mail. He works in security for Fujitsu.
“A lot of the content we observe at Fujitsu includes phishing content, and this is no different,” he told Archer News. “The mistakes in the literacy of the email and the genuine URL, which is hiding behind the apparent genuine Apple URL, are two ways of identifying these phishing emails.”
Campbell said there is a lot you can do to prevent these kinds of attacks.
“Always report them to email@example.com,” he said. “Apple never request details from you, particularly via e-mail. Ensure you have two-factor authentication enabled via https://support.apple.com/en-gb/HT204915 to remove the ability of password/dictionary attacks on your account.”
He recommended complex passwords, rather than simple ones.
“Use a password manager to generate and manage secure passwords or use the built-in password manager in iOS or OS X,” Campbell added.
If you fall
Some people have fallen for phishing scams already, and don’t know it. Some people know, but may be embarrassed.
“…Don’t break the golden rule, as I did, and reply to any email you are not 100 percent sure of,” Corbin said.
If you do, you will need to try to take back your accounts, both e-mail and financial. And don’t be shy, Barrie advised, if you actually come down with that “iTunes virus” or other phishing scam.
“If someone thinks they have made a mistake by responding, then report immediately to the service owner—work, bank, etc. Follow-up will vary at his point, but may require changing passwords or even reinstalling their OS [operating system],” he said. “But this is much better than the alternatives.”
“I guess the key is, if people think they have made a mistake then talk to someone. Everyone makes mistakes. The sooner a problem is reported then the sooner it can be fixed,” Barrie said.