Intro
On a mailing list I am part of, a user had their email account hacked, and the scammer used the iTunes gift card scam. This is a quick article about the scam and how to avoid being a victim.
The scam
In the world of information security, there are many cutting edge attacks. Like the one out of Israel recently, researchers from Ben-Gurion University and the Weizmann Institute revealed a new technique for long-distance eavesdropping they call lamphone.
The lamphone attack allows anyone with a laptop, telescope and a $400 electro-optical sensor, to listen in on any sounds in a room that’s hundreds of feet away in real-time, by merely observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside.
By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers showed that a spy can pick up sound clearly enough to discern the contents of conversations or even recognize a piece of music. This is straight out of Tom Clancy.
On the opposite end are the low-tech attacks such as iTunes gift card scams. Recently, someone’s email accounts were hacked and the attacker posted on their behalf on a community mailing list I am part of. The scammer asked people to buy iTunes gift cards to which he would pay you back since he said he was away.
This scam goes back a few years and is in constant use. When the victim’s email account is hacked, the attacker will send a message to everyone in their address book.
Gift card frauds are so prevalent that the Better Business Bureau, AARP, and FTC have alerts. As to iTunes card fraud, Apple and the FTC have warnings specifically regarding scams involving App Store & iTunes Gift Cards and Apple Store Gift Cards. These scams have been going on for years where fraudsters request codes from App Store & iTunes Gift Cards or Apple Store Gift Cards.
The scam follows a standard formula where the person says they can’t make the purchase now and says they will pay you when they return.
Why iTunes gift cards
Apple Music, App Store, iTunes, and related services are major players in the global digital app and music market, with over $10B in annual revenue. With a market so huge, it is ripe for scamming.
These scams are part of extensive, sophisticated black market efforts, often via the dark web. The low-level scammers do the grunt work of communicating with the victim. Once they get the codes, the network sells them to middlemen, who, in turn, sell these codes to people on the secondary market. This entire exchange is, for the most part, untraceable and very profitable.
If the scammers try to flip the card into Bitcoin, it makes it even more untraceable. As an aside, Bitcoin is not provable untraceable. As detailed in Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction, all Bitcoin transactions are stored publicly and permanently on the network, and can’t be considered fully anonymous.
How do you avoid being a victim?
This scam is so efficient because the source is the victim’s email address book, which often contains thousands of contacts. If these are going to their friends, they will have a desire to be helpful.
Ronald Reagan popularized the saying Trust, but verify, which is the approach one needs to take here.
You can avoid being a victim by using both technical and practical approaches.
- Use common sense — does the email make sense? If you look at the text of the email communications, the writer answers in short, terse sentences and does not seem to be a native English speaker.
- Ask a few questions — the person should know some specifics, especially about their own life and family. The entire email chain is below, and I asked the scammer some specific questions he or she never replied to directly. I also used false family member names and a medical condition which he was oblivious to. Since there were no corrections to these, it screams out scam.
- Generic text — everything in the email conversation is generic. The scammer makes no mention of anything personal which would indicate it is the real person. They never refer to you by name, nor their niece by name. They say they are out of town, but do not mention a place.
- Use hard to guess password — for your email accounts, use a complex, difficult to guess password. But this is not foolproof is the password itself is compromised.
- Employ multi-factor authentication (MFA) — this is an authentication method where a user is only given access after successfully presenting two or more pieces of evidence to the authentication system. If you use Google services, you should employ more robust security for your Google account via Google Authenticator.
- Consider why they are asking for your help — the attacker below is making up silly excuses why he can’t do it himself.
- Be aware and vigilant — there are trillions of dollars moving through the Internet daily, and scammers want a piece of the action. Awareness is critical to avoid being a victim. You need to protect yourself from COVID-19 & stimulus payment scams, and also be aware of the myriad other scams. Frank Abagnale’s book Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists is an excellent primer on the topic.
- Use that even more common sense, and you are much less likely to be a victim.
The email chain with the scammer has been anonymized to protect the victim, and below is the text of the emails.
Two of the victim’s email accounts were hacked — MSN and Gmail. I refer to these as scammer@msn.com and scammer@gmail.com
Notice the initial scam email came from the victim’s MSN account. The scammer then moved to the victim’s Gmail account.
The friend responding is Jenny Smith Jen@mail.com
On Tue, Jun 23, 2020 at 10:15 AM Scammer <scammer@msn.com> wrote:
Good Morning, How are you? I need a favor from you.
I need to get an iTunes gift card for my Niece, It’s her birthday today but I can’t do this now because am currently out of town. Can you get it from any store around you? I’ll pay back as soon as i am back.
Kindly let me know if you can handle this.
Thank you,
Scammer
On Tue, 23 Jun 2020 at 15:26, Jenny Smith <Jen@mail.com> wrote:
Hi — is this for Tammy your niece? I remember when she was little.
Let me know what you need and we can help.
On Tuesday, June 23, 2020 10:35 AM, Scammer <scammer@gmail.com> wrote:
Thanks. What I need is $300 iTunes gift card($100 denomination. Three $100 cards total $300) you can buy from any store around now. Also, I need you to scratch the back of the cards to reveal the pins, then take a snap shot of the back showing the pins and have them email to me….so i can forward the cards to my Niece.
How soon can you get this done for me so i can give her a definite time to expect the picture from me?
On Tue, 23 Jun 2020 at 15:37, Jenny Smith <Jen@mail.com> wrote:
Anything for your bro!
I can do out and buy them, or get them online….just tell me what to do.
You on vacation now?
On Tuesday, June 23, 2020 10:42 AM, Scammer <scammer@gmail.com> wrote:
Can you get the cards online for me now and have them sent to me my email address scammer@msn.com
On Tue, 23 Jun 2020 at 15:44, Jenny Smith <Jen@mail.com> wrote:
Sure….what is the web site to order them from?
I can do that now….just let me know the web site to order from.
Don’t want Tammy to miss her birthday present. How old is she now?
On Tuesday, June 23, 2020 10:46 AM, Scammer <scammer@gmail.com> wrote:
https://www.apple.com/shop/gift-cards/itunes-electronic?afid=p238%7CsvsraeddR-dc_mtid_1870765e38482_pcrid_267742211676_pgrid_46460974547_&cid=aos-us-kwgo-btb-egc
On Tue, 23 Jun 2020 at 15:49, Jenny Smith <Jen@mail.com> wrote:
Ok…how much do you need?
When are you and Monica due back? We miss you in hot and humid Miami.
On Tuesday, June 23, 2020 10:50 AM, Scammer <scammer@gmail.com> wrote:
What I need is $300 iTunes gift card($100 denomination. Three $100 cards total $300) Have it sent to my email address scammer@msn.com
On Tuesday, June 23, 2020 10:53 AM, Scammer <scammer@gmail.com> wrote:
Paris, Let me know when done.
On Tue, 23 Jun 2020 at 15:52, Jenny Smith <Jen@mail.com> wrote:
Ok, will do that now.
Where are you guys??=
On Tue, 23 Jun 2020 at 15:59, Jenny Smith <Jen@mail.com> wrote:
Ignatz is getting the credit card for me, so will do the order in like 2 minutes.
OMG I love Paris!!!!
Where you guys staying there?
On Tuesday, June 23, 2020 11:00 AM, Scammer <scammer@gmail.com> wrote:
Ok, Let me know when you place the order for the cards.
On Tue, 23 Jun 2020 at 16:04, Jenny Smith <Jen@mail.com> wrote:
He is doing the order now….
He is better with computers than I am.
How are you managing doing all that walking with your cellulitis problems? Must be hard.
Ignatz just said order should be done in 90 seconds.
On Tuesday, June 23, 2020 11:06 AM, Scammer <scammer@gmail.com> wrote:
Ok, thanks.
On Tue, 23 Jun 2020 at 16:08, Jenny Smith <Jen@mail.com> wrote:
Seriously….how are you managing doing all that walking with your cellulitis problems?
I remember when you had to miss Dave Kujan’s retirement party due to that.
On Tuesday, June 23, 2020 11:12 AM, Scammer <scammer@gmail.com> wrote:
I’m getting better now.
On Tue, 23 Jun 2020 at 16:15, Jenny Smith <Jen@mail.com> wrote:
ok….that is great.
Ignatz just finished the order for the 3 gift cards.
Regards to the birthday girl!
On Tuesday, June 23, 2020 11:19 AM, Scammer <scammer@gmail.com> wrote:
Kindly forward the confirmation order to me.
On Tue, 23 Jun 2020 at 16:22, Jenny Smith <Jen@mail.com> wrote:
Did you not get the confirmation?
Ignatz said it was confirmed.
On Tuesday, June 23, 2020 11:26 AM, Scammer <scammer@gmail.com> wrote:
No
On Tue, 23 Jun 2020 at 16:30, Jenny Smith <Jen@mail.com> wrote:
He just resent it to you.
On Tuesday, June 23, 2020 11:31 AM, Scammer <scammer@gmail.com> wrote:
Let me send it to my email
On Tue, 23 Jun 2020 at 16:39, Jenny Smith <Jen@mail.com> wrote:
Can you confirm you got it?
On Tuesday, June 23, 2020 11:40 AM, Scammer <scammer@gmail.com> wrote:
No, I didn’t get it. Can you send it to me.
On Tue, 23 Jun 2020 at 16:44, Jenny Smith <Jen@mail.com> wrote:
Ignatz said he sent it 2 times to your email.
He said he confirmed on the Apple.com web site that it was sent to your email.
I know that the French are notorious for spying on people. Do you think the French government may be listening to our email chat and they may have taken the $300 in gift card codes?
On Tuesday, June 23, 2020 11:45 AM, Scammer <scammer@gmail.com> wrote:
No, I didn’t get it. Can you forward it to me?
On Tue, 23 Jun 2020 at 16:49, Jenny Smith <Jen@mail.com> wrote:
I keep forwarding to you.
Seriously….could the French be hacking your email?
On Tuesday, June 23, 2020 11:50 AM, Scammer <scammer@gmail.com> wrote:
What do you mean?
On Tue, 23 Jun 2020 at 16:55, Jenny Smith <Jen@mail.com> wrote:
Ignatz printed out the the confirmation numbers for the 3 gift cards.
Since email is not working, let me call you and give you the numbers.
What is your cell number there?
Or the number of your hotel.
On Tuesday, June 23, 2020 11:55 AM, Scammer <scammer@gmail.com> wrote:
I don’t have access to my phone here, Email the numbers to me.
On Tue, 23 Jun 2020 at 16:57, Jenny Smith <Jen@mail.com> wrote:
What is the number of your hotel?
I can call you there.
On Tuesday, June 23, 2020 11:59 AM, Scammer <scammer@gmail.com> wrote:
I’m not available on Phone, Send the numbers of the cards to me via email
On Tue, 23 Jun 2020 at 17:01, Jenny Smith <Jen@mail.com> wrote:
It is 6:00PM there in Paris.
When do you expect to be back in your hotel.
I can call you then with the information for the 3 gift cards.
On Tuesday, June 23, 2020 12:03 PM, Scammer <scammer@gmail.com> wrote:
Send the code number of the cards, So i can forward them to her ASAP
On Tue, 23 Jun 2020 at 17:04, Jenny Smith <Jen@mail.com> wrote:
What time are you due back in your hotel?
On Tuesday, June 23, 2020 12:06 PM, Scammer <scammer@gmail.com> wrote:
Later tonight, Kindly send them now so i can forward them to her.
On Tue, 23 Jun 2020 at 17:11, Jenny Smith <Jen@mail.com> wrote:
Let me ask you, if you can email her, why couldn’t you have ordered the gift cards yourself?
On Tuesday, June 23, 2020 12:15 PM, Scammer <scammer@gmail.com> wrote:
I don’t have access to my online banking. If not that i would have bought the card myself for her online.
On Tue, 23 Jun 2020 at 17:18, Jenny Smith <Jen@mail.com> wrote:
You do not need access to your online banking, just your credit card number.
On Tuesday, June 23, 2020 12:24 PM, Scammer <scammer@gmail.com> wrote:
I’m not with my credit card, Did you purchase the cards
On Tue, 23 Jun 2020 at 17:28, Jenny Smith <Jen@mail.com> wrote:
Yes, 3 x $100 cards.
See attached screen shot……
On Tuesday, June 23, 2020 12:34 PM, Scammer <scammer@gmail.com> wrote:
The attachment you sent doesn’t contain an iTunes gift card.
On Tue, 23 Jun 2020 at 17:36, Jenny Smith <Jen@mail.com> wrote:
This is so weird.
I think someone is hacking this account.
Let me call you in the hotel when you get there.
Then you will have the card codes once and for all.
Since Tammy is in California, it is only 9:30 in the morning there and there is plenty of time to get her the codes.
thanks!
Speak later….send me your phone number at the hotel.
On Tuesday, June 23, 2020 12:37 PM, Scammer <scammer@gmail.com> wrote:
Ok, Send the code number of the three cards write them out.
On Tuesday, June 23, 2020 1:10 PM, Scammer <scammer@gmail.com> wrote:
I just did if you can’t reach me through phone then send the PIN number of the cards via email
On Tue, 23 Jun 2020 at 5:39 PM, Jenny Smith <Jen@mail.com> wrote:
ok, what hotel are you at and what is the phone number?
On Tue, 23 Jun 2020 at 18:15, Jenny Smith <Jen@mail.com> wrote:
That phone number still does not work.
Please send hotel number.
On Tuesday, June 23, 2020 1:25 PM, Scammer <scammer@gmail.com> wrote:
That’s weird.
On Tue, 23 Jun 2020 at 18:28, Jenny Smith <Jen@mail.com> wrote:
This happens.
Let me know when you in your hotel.
Send the number of the hotel.
And we can get her the numbers…..
On Tuesday, June 23, 2020 1:32 PM, Scammer <scammer@gmail.com> wrote:
I’m in the hotel already
On Tuesday, June 23, 2020 1:42 PM, Scammer <scammer@gmail.com> wrote:
Send the code numbers of the cards, Kindly let me know if you don’t want to send the code number of the cards to me.
On Tue, 23 Jun 2020 at 18:41, Jenny Smith <Jen@mail.com> wrote:
What is the phone number and what room?
On Tue, 23 Jun 2020 at 18:45, Jenny Smith <Jen@mail.com> wrote:
I have the cards….since you are in the hotel….just let me know the phone number.
I will call you so you do not have to pay for an international call.
On Tuesday, June 23, 2020 1:46 PM, Scammer <scammer@gmail.com> wrote:
I told you earlier the phone is not connecting, Email the cards to me.
On Tuesday, June 23, 2020 1:50 PM, Jenny Smith <Jen@mail.com> wrote:
What is the name of the hotel?
I can use a VPN connection to make a VoIP secure call, guaranteed to work.
On Tuesday, June 23, 2020 2:26 PM, Scammer <scammer@gmail.com> wrote:
Still waiting. For the cards
On Tue, 23 Jun 2020 at 19:19, Jenny Smith <Jen@mail.com> wrote:
Any update?
On Tue, 23 Jun 2020 at 19:27, Jenny Smith <Jen@mail.com> wrote:
Still waiting for your hotel phone number.
On Tuesday, June 23, 2020 2:29 PM, Scammer <scammer@gmail.com> wrote:
I gave you the number already which you said was not connecting. Email the Pin number of the cards to me.
On Tue, 23 Jun 2020 at 19:38, Jenny Smith <Jen@mail.com> wrote:
That phone number is to a cell phone in area code 201,which is New Jersey.
While the Garden State is the Paris of the US, it is not a hotel number in Paris.
Please send correct number so I can get you the 3 codes.
On Tuesday, June 23, 2020 2:39 PM, Scammer <scammer@gmail.com> wrote:
You can’t reach me on phone
On Tue, 23 Jun 2020 at 19:41, Jenny Smith <Jen@mail.com> wrote:
Why not?
Every hotel has a phone.
On Tuesday, June 23, 2020 2:42 PM, Scammer <scammer@gmail.com> wrote:
I don’t know.
On Tue, 23 Jun 2020 at 7:44 PM, Jenny Smith <Jen@mail.com> wrote:
Can I call you via Skype or WhatsApp then?
On Tuesday, June 23, 2020 2:48 PM, Scammer <scammer@gmail.com> wrote:
Ok
On Tuesday, June 23, 2020 2:49 PM, Jenny Smith <Jen@mail.com> wrote:
ok, what is the phone #?
Ben Rothke works in information security at Tapad. He writes book reviews for the RSA blog and is a founding member of the Cloud Security Alliance and Cybersecurity Canon.
{Matzav.com}
Recent comments