In the past month, phishing websites were observed to be spoofing the Apple brand. These fraudulent sites were created to steal legitimate Apple gift card numbers. Genuine Apple gift cards are an option for buyers to give family and friends gift cards for Apple computers or consumer electronics. These cards are accepted in any Apple Retail Store and can also be used for shopping on Apple’s websites.
The spam email messages that were sent claimed to provide an online facility for checking the balance amount for Apple gift cards, and included a link to the phishing website. The phishing site asked for the gift card number and its pin number in the hopes of tricking customers into believing that they could view their balances. Upon entering a card and pin number (typically 16 digits and 8 digits, respectively) an error message is returned, stating that the balance enquiry is currently unavailable. The phishing page further states that the customer should contact customer care to find out the balance. The customer care number provided was valid in order to help the fraudulent site look authentic. With stolen gift card numbers, fraudsters can shop with the entire balance available on each card.
The above screenshot is from the phishing site spoofing the Apple brand. The domain name of the phishing site was a typosquat of “Apple,” so customers may have entered the phishing site from typographical errors made while typing the legitimate website address. The phishing site was hosted on servers based in the USA.
Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.
• Frequently update your security software, such as Norton Internet Security 2010, which protects you from online phishing.
Note: My thanks to the co-author of this blog, Ashish Diwakar.