Coming soon to a mailbox near you: a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details.
The email, currently in circulation, reads as follows:
Your invoice No.69513279 Dear Apple ID Thank you for buying the following product on 10/22/2015 9:03:55 a.m. Product Name: CoPilot Premium HD Order Number: 57620731 Receipt Date: 10/22/2015 9:03:55 a.m. Order total: 34.99 GBP. If you did not authorize this purchase, please: Click here for Refund
Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a fake login, via a redirect on a potentially compromised t-shirt website. The phish pages themselves are located at
After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information.
Confirm your personal and billing information in order to cancel and refund the transaction above: For your protection, we verify credit card and debit card billing details. The process normally takes about 30 seconds, but it may take longer during certain times of the day. Please click the Confirm button to confirm your information.
Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments.
Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to official Apple pages to find out if a payment really is being processed.
Christopher Boyd Malwarebytes 22 October 2015