« Another Money Mule Recruitment Letter | Main | Facebook Malware Lure du Jour »
Home | The Book | Training | Events | Tools | Stats |
March 25, 2010
Phony Apple AppStore Order ConfirmationSome spam is more preposterous than others, yet it can often require a second look to see how bizarre a message is.
When I first saw this Subject: line in my inbox:
Subject: 25-757 Apple AppStore Order Confirmation
I didn't see the word "AppStore". Instead I figured it was some Apple Store lure to install malware or phish for my Apple ID credentials. Even though I'm an iPhone developer with apps in the real App Store, my eyes skipped over the critical word. Part of that may have come from my knowledge of the real communications that the App Store conveys to real customers: receipts for downloads. All purchases from the App Store are immediate, so there is no such thing as an order confirmation. Even the Apple Store doesn't send a "confirmation" per se. Instead, they send an "Order Acknowledgment".
Here's what the email message looked like:
If you click the link in the message, you visit a web site from Russia whose page has both an obvious link (with just the word "Click") and a hidden iframe element. The obvious link takes you to a medz vendor. Ugh. But the hidden stuff...well, I'm not exactly sure at this point. The hidden material uses the same type of JavaScript obfuscation techniques to insert additional iframes and scripts that malware distributors have been using for years. In this message, the scripts (albeit flawed in places) eventually attempt to load a page that is no longer available. Perhaps all this hidden stuff is a decoy for malware researchers to follow. I can't say for sure.
The association between medz spammers and malware distributors has been shown to be close in the past. The malware can be used to harvest new email addresses that the Bad Guy can use to spam for medz, knockoff goods, and online "dating" sites. Whoever is behind this stuff is equally happy to sell medz and install malware — it all makes money either way.
Posted on March 25, 2010 at 11:30 PM