If you own an iPhone, iPod or iPad then you’re used to regularly receiving iTunes receipt emails on your inbox. Last week, my wife was surprised when she received an iTunes receipt in her email inbox amounting to $699.99. As soon as she told me about it, I knew right away that it could be spam or a phishing email.
I checked the suspicious email and at first glance, it looked legit. The email address used was store[at]itunes[dot]com and the message looked like a real iTunes receipt.
I compared it with a real iTunes receipt I previously received and found a few discrepancies:
Fake iTunes Receipt
Email Address: store[at]itunes[dot]com
Billed To: email address
Billed To: “Credit card”
Real iTunes Receipt
Sender: iTunes Store
Email Address: do_not_reply[at]itunes[dot]com
Billed To: email address, full name, billing address (street, state, zip code)
Billed To: Credit card type – MasterCard, VISA, etc. with last 4 digits.
I also checked the email headers of both the real and fake iTunes receipts and saw that the data (Return Path, Received, Received-SPF, Authentication-Results, DKIM-Signature, etc.) didn’t match up. I also noticed that the fake email had these strange characters “ГѓВўГўвЂљВ¬Г‚Вў” at the bottom of the email.
The last thing I checked were the links embedded on the email. Btw, I did it by hovering the mouse over the links, not clicking on the links. Below are links and URLs they’re pointing to:
Cancel Order, Report a Problem links – slavodelic[dot]com/pod/check[dot]php
View\Download link – http://cpslex[dot]com/images/download[dot]jpg[dot]exe
Purchase History link – http://cpslex[dot]com/images/history[dot]pdf[dot]exe
As you can see, the URLs were pointing to a PHP page and a couple executable files. With that, it’s safe to say that the fake iTunes receipt email was not just an ordinary spam or phishing email but a malicious email that intended to trick users into installing a trojan horse virus on their computers.
People who send these type of emails use scare tactics to trick users to provide their account names/passwords, click on links, install attachments, etc. If an unsuspecting person got duped into thinking that this was a real iTunes receipt and that person clicked on any of the embedded links, their computer would’ve been compromised. Their personal information could be stolen, credit cards & bank accounts breached and their computer could be used as a “bot” for a botnet.
If you ever come across the same type of email, make sure that you DON’T click on any of the links and/or DON’T download/install any of the attachments. DELETE the email and warn your family and friends about it.
Anybody else got these fake iTunes receipt emails?