Security & Privacy

Beware of “Apple Billing Information” Phishing E-mails

Posted on December 26th, 2011 by

A vast phishing attack has broken out, beginning on or around Christmas day, with e-mails being sent with the subject "Apple update your Billing Information." These well-crafted e-mails could fool many new Apple users, especially those who may have found an iPhone, iPod or iMac under their Christmas tree, and set up accounts with the iTunes Store or the Mac App Store for the first time. The messages claim to come from "appleid@id.apple.com." Here's what the content looks like:

If you click on the link in the message, you will be taken to a realistic looking sign-in page, then, after entering your Apple ID and password, you'll be taken to a page asking you to update your account profile, notably entering your credit card information. Again, this page looks realistic, and many of the elements it contains are taken from Apple's own web pages.

So how do you know that this is a phishing e-mail? The first rule of thumb is to move your cursor over the link in the message and wait for a tooltip to pop up:



As you can see above, the URL that displays is not an apple.com address, but rather a numerical address (we've blurred the first part of the address). At the end of the address is a page called apple.htm, which could fool people, but that's not what's important. Always look at the part right after the http:// in the URL: if it's not something.apple.com (it could be www.apple.com, store.apple.com, or something else), then it's bogus.

We hope you'll be careful if you're new to Macs and Apple products. We work hard to keep Mac and Apple users safe from the many dangers of the Internet.

  • http://twitter.com/andreigherghe Andrei GHERGHE

    I found the actual adress:
    http://21X.XYZ.107.27/

    Loks like the site is down :)

  • http://pulse.yahoo.com/_RTLYF56GGZK5Y2RBYOA77MAGI4 Ninju B

    Why did you ‘blur’ out the IP address of the phishing website??

    • http://www.intego.com Intego

      So people don’t go there out of curiosity. While it’s a phishing site, there’s always the possibility that such sites may be serving other malware, and trying to take advantage of browser vulnerabilities.

  • http://twitter.com/franklinveaux franklin veaux

    The advice “Always look at the part right after the http://” isn’t really very good. Many phishers and scam artists will use subdomains to trick people, setting up phony sites with names like “http://www.ebay.com.isaip.dll.22233344444444.site.ru” or “http://www.apple.com.billing.at” to trick people. It’s important to learn how Web URLs work.

  • http://pulse.yahoo.com/_44ZAXNKOYEIJWXPSPMCT5KG6OU John Holtz

    I believe there is 1 mistake in the writeup: at id.apple.com is a valid source for emails. I have several with that address. When I look at the message information, they all have proper apple.com source as described on the Apple Support site.
    Received: from unknown (HELO golovin.apple.com) 

  • ginger

    Oh, they have problems in their isp billing software. I experienced that in a telecom company.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}