Scam Email – iTunes


I’ve had another scam email recently that I wanted to quickly share with you, because it’s another one that’s fairly common, similar to ones for Paypal. But this time it’s from someone pretending to be iTunes, which is of course used by millions of people, myself included.

It’s a very short email, and the main red flags are very easy to spot. However, it does have a sneaky trick up its sleeve to be careful of, that I’ve not seen in my other spam emails so far.

Update: Since writing this post, I’ve had a 2nd email, which is identical except for a few minor differences, which I’ve noted that below as well.

The Email

Screenshot of scam email pretending to be from iTunes.

From Name: iTunes

From Addresses

  • Email 1:
    Servic732893266249432556284429544262@Servid7883493458543950.com
  • Email 2:
    wsercodmltune837200cknfdv7834rkdn934fkmdv49fvkjn@nvjhcxddkmccostacomd.com

To: welleyenever@icloud.com

Subject:

  • Email 1: Action required
  • Email 2: Please update your billing information

Message:

Dear welleyenever@icloud.com,

Your Apple ID has been suspended due to the following reason:

Billing Issue – CXZ89491X

Please update your billing information as soon as possible to avoid any termination of your used services.

Access my account [Button points to 5.189.146.107/~calmbunn/.uk/uk/index.php]

Analysis

Firstly, it’s important to note that Apple never send out messages like this. They’re very security conscious. But regardless of that, this is easy to pick apart anyway.

From Address

Screenshot of sender address for iTunes scam email

The sender’s name says it’s from iTunes, but the actual address is clearly randomly generated and has nothing to do with Apple:

  • Servic732893266249432556284429544262@Servid7883493458543950.com
  • wsercodmltune837200cknfdv7834rkdn934fkmdv49fvkjn@nvjhcxddkmccostacomd.com

Message

The salutation greets me by my email address, not my name, which iTunes would have on file. Though as it happens, the address I use for my blog isn’t the one I use for iTunes anyway, so it’s impossible for iTunes to suspend an account that doesn’t exist!

The rest of the message is short and has no spelling errors, so perhaps isn’t quite so obvious. The phrasing “termination of your used services” feels a bit odd grammatically, but maybe that’s just me. So there’s not a lot to say about that aspect of it.

Link

Screenshot of link address in iTunes scam email.

Hovering over the link to view the address again shows that it has nothing to do with Apple, as it’s pointing to “5.189.146.107/~calmbunn/.uk/uk/index.php”.

Many scam emails include the company name in the link address somewhere, to try and give the impression it’s genuine, even though it’s still obviously fake. But here the scammer’s just been very lazy and picked a very random address. They haven’t even set up a proper website name, it’s just an IP address, which could potentially be useful for tracing purposes.

But here’s the interesting thing – the button isn’t actually the link. Sure, you can click on it and it will take you to that website. But you can also click anywhere else for the same effect, because the entire message is a clickable image.

So this includes the white background, the Apple logo, the message text, the account access button, and the footer text with what appear to be links for the Apple ID, Support and Privacy Policy along with the Apple copyright line. Clicking any of those things will take you to that dodgy website. The only exception is the initial salutation (“Dear welleyenever@icloud.com“). That is standard text, as it’s their only way of trying to make the email appear personalised.

I noticed it was an image when I went to copy and paste the text for this post. I saw my mouse cursor was a pointing hand icon wherever I moved it in the message, rather than a regular arrow. It only changes to the hand icon when it’s over a link. And resting the cursor over parts of the message away from the button continued to reveal the address as a tooltip. So there was no text to copy – I simply typed up a copy by hand instead.

There is a bit of clear space either side of the image, because they’ve centred it in the message window, so if your window is wide enough, you can potentially click to the left and right of the image safely. But overall it’s easy for you to hit the link anywhere without expecting to, e.g. if you were to try and click the Support link at the bottom or just randomly clicked anywhere on the message in general. So that is a sneaky little trick.

Looking at the source code, we find that the actual image is stored on a legitimate picture hosting site called imgBB:

Apart from giving you a bigger target to click on, the scammer has also used an image rather than text in this instance, to try and bypass spam checks by email providers. It’s difficult to analyse the text of an email for spam if there’s no text to begin with. It is possible to detect text in images using OCR (Optical Character Recognition), but I don’t know if email companies do that.

Also, can I just point out that the image doesn’t have Alt Text to describe it either. Screen reading software, which speaks the content of web pages to visually impaired people, will look for and read out the Alt Text attributes where available. So it’s important to use it to describe your images. Otherwise, the screen reader will just say it’s an image and nothing more, which is meaningless, and that’s the case here. Which isn’t a surprise. Scammers don’t care about anybody, so of course they’re going to be discriminatory and ableist too, right? I mention Alt Text more in this post incidentally – if you’re not adding image descriptions on your blog, Twitter, etc, please do, it’s important.

Footer

Weirdly, there’s a big space below the clickable image. And if you scroll all the way down to the bottom, there’s this:

Unsubscribe

gboticia 1 Hillcrest Road <a href=”https://www.w3schools.com/html/”>Visit our HTML tutorial</a> Tiburon, US-CA 94920 United States (625) 985-2234

The unsubscribe links points to an Infusionsoft unsubscribe address:

https://eb512.infusionsoft.com/app/optOut/0/7a6a0678b5aa2e8f/29411/93ae9e55efb87b26

That appears to be genuine, because after the https:// prefix the first forward slash comes after “infusionsoft.com”, which is their correct website name.

The w3schools link is also genuine – that’s actually quite a useful website for learning the basics of HTML code – although what doesn’t make sense is why it’s in the middle of the company postal address.

The source code also reveals they’ve left in a tracking pixel, which is an unseen image just 1 pixel in size, that mail senders use to detect if you’ve opened their message or not. That appears to be related to the Infusionsoft message as well, I don’t think it’s being used by the scammer.

All this basically means is that the scammer has copied an email from Infusionsoft that was originally genuine, stripping out Infusionsoft’s content and replacing it with their own. But they’ve either done a terrible job and left a mess behind, or they’ve deliberately left in HTML code and tracking pixel from a real email in order to try and fool spam filters that the message is genuine. Both options are very possible.

Either way though, the From address and the website link, along with the fact that Apple never send out emails like this in the first place, are enough to show that it’s obviously fake. The warning signs are still very prominent. So stay vigilant as always!

Author: Glen

Love London, love a laugh, love life. Visually impaired blogger & Youtuber with aniridia & nystagmus, posting about my experiences & adventures.

One thought on “Scam Email – iTunes”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.