Apple .Mac customers targeted for fraud

When Apple rolled out its Mobile Me service last month, it provided phishers with a golden opportunity to scam users of .Mac, according to a credit card protection service.

"We confirmed this," said Dan Clements, vice president at Affinion Group, the company that owns Card Cops. "...We called some of the .Mac users" found on a trading site used by the Internet underground.

Card Cops includes among its customers major banks worldwide. For the last eight years, the group has been helping its clients and law enforcement track down those who are trading personal information online.

Clements said his company routinely examines caches of "full profiles," meaning the files contained the social security numbers, birth dates, mothers' maiden names, and credit card numbers from customers of savvy users that were tricked. He said one day there was a "disproportionate amount of what we usually see" of victims using the .Mac e-mail address.

Of the 300 profiles provided to CNET News, more than 100 had .mac addresses.

"The attack looked very realistic; the graphics were well done," said Clements, and this snared some sophisticated victims, he said. Some had businesses accounts with Apple "because their mother's maiden name was already on file."

One version of the e-mail solicitation included links to help set up your desktop, PC, iPhone, or iPod Touch. It also stated that Apple was "unable to process your most recent payment," and to "please update your billing information today" so your service is not interrupted. Victims then entered their personal information on a site that appeared to be hosted by Apple, but was actually overseas.

The .Mac phishing attack coincided with Apple's rollout of its Mobile Me service in early July. MobileMe lets Apple customers synchronize mail, calendars, contacts, photos, Safari bookmarks, Dashboard widgets, and more among Macs, the iPhone, and iPod Touch. However, all was not perfect; MobileMe experience too many glitches in the first few weeks of operation.

Clements agreed that Apple was also a victim here, but commented that the company might have been "more preemptive by saying what Apple was going to do" with the e-mail and also warn users to be careful of phishing attacks.

Apple did not provide a comment for this story.

[Seaspray0]

"Apple did not provide a comment for this story." De ja vu. They didn't admit there was a problem with the 3G iphone, either. If it's negative, you will get silence.

[Galaxy5]

This phishing attack was reported on MacInTouch at the time.

[The_Decider]

There is no technology that will save a person from their stupidity. Phishing attacks take advantage of a users lack of knowledge of SSL certificates. There is not a damn thing Apple, MS or anyone else can do.

This is an education issue.

CNET, what sorts of addresses were the other 200?

[M C]

....aaaaand let's make this Apple's fault.

Fan those flames, CNet!

[catch23]

They never said it was Apple's fault. But I guess anything but fawning praise for Apple is considered bashing by the Faithful...
Sad, really

[Perry_Clease]

"Apple did not provide a comment for this story." De ja vu. They didn't admit there was a problem with the 3G iphone, either. If it's negative, you will get silence."

Why should they? The phishing attempt wasn't their fault. As to something that negative resulting in silence, that doesn't always hold true, look at how vocal trolls are.

[ikramerica--2008]

Phishing is called phishing for a reason. Because it involves fishing for suckers and reeling them in. I routinely get emails warning that my Bank of America account needs updating, or my Paypal. Problem is, I don't have a BofA, and I know PayPal doesn't work this way. But someone who does have a BofA account might be fooled. So is some crook sending 1000 emails out hoping to find 100 who happen to be Bank of America's customers somehow the fault of Bank of America? No. Should they warn their customers? Yes, and they do. Should Apple warn it's customers? Yes. But it's hard to warn them before you find out about the phishing. I think Apple has a responsibility to warn paying customers, but that doesn't make it their fault.

[protagonistic]

A fool and his money are soon parted...

Regardless of what OS he is using. :-)

[andrewrennie]

I am a MobileMe subscriber and my account was coming up for renewal. I got these emails and usually I can see straight through a phishing email but these ones were exceptionally well done. The only thing that gave it away was the web address that you were directed to which was not an apple.com address. I can definitely understand why people would have got sucked in by this email.

[docinaustin]

So, if I leave my car in the mall parking lot with the keys in the ignition can I blame my car manufacturer if it gets stolen? I think not. Phishing isn't something new. People need to be more aware of their lives and take ownership for their own situations.
It's horrible that these people got taken for a ride but it's not Apple, their ISP or anyone's fault but the people who are running these scams.
When all else fails, just think everyone out there is wanting to screw you over.

[aleXXX123456]

It's nice to see where all that "rescue Vista add" budject is going too, funding CNET FUD

[ncalishome]

Fanboys are funny, in a inane nitwit kind of way. Email phishing is in no way FUD. If scammers were not phishing for Paypal account/billing information every day don't you think CNET would report it when it did happen? The fact that .mac has become a viable and profitable scam is newsworthy and only goes to prove a point that targeting Apple is worth the time and money

[ChimericPhantom]

I got pulled into a different phishing scam and stopped part way into it. Please help me understand this: I have to open the email to see who sent it. That can trigger a signal to a scammer that my address is "live." If I click on the link that is typed in the email, then the link takes me to a bogus web site. So where do I see the SSL certificate? Before that even, why cannot I read the sender address of the sending email to see whether the person whose name appears is the true sender? In my case, I had to open the email to see that she did not send it to me at all. This is 2 questions in one request. Take care and don't open anything from WAYN Where Are You Now? It is bogus.

[jes834]

once again showing who uses apple products. people who prefer not to think.