iTunes Malware Kicks Off Christmas Scam Season

An email pretending to offer $50 of credit on the iTunes Store could take over a user’s system

Scammers are taking advantage of the Christmas shopping season with a flood of malware-bearing emails disguised as iTunes gift certificates, according to security experts.

The email arrives on the eve of Thanksgiving in the United States, which customarily kicks off the Christmas gift-shopping season in that country and elsewhere.

Disguise

It appears to come from a legitimate email address – official@itunes.apple.com – and contains an attachment called Gift_Certificate_iT9581.zip that pretends to offer $50 (£32) of credit at the iTunes Store, according to German security firm Eleven Security. When the file is launched it deploys an malicious executable file, Eleven said.

The malware, which Sophos has identified as Mal/BredoZp-B, creates a backdoor into a user’s system that can be used to download more malicious code, according to security vendors.

The message contains plain text only, with no graphic elements, Eleven said. The company said about half of the emails it detected originated from US IP addresses, with another 10 percent from the UK.

“As the holidays ramp up, so do scams like this,” wrote Sophos blogger Lisa Vaas. “It’s understandable that cash-strapped holiday shoppers might be click-happy enough to try to lighten their holiday with $50 worth of free music, video and games.”

Mal/BredoZp-B has been used in several other spam campaigns, including fake notifications from the US’ Federal Deposit Insurance Corporation in August.

Fraud shutdown

Earlier this month the Metropolitan Police’s Central e-Crime Unit (PCeU) said it had shut down more than 2,000 fraudulent e-commerce websites ahead of the Christmas shopping season, the latest move in the unit’s long-running battle against counterfeiting and fraud.

The PCeU worked with registrar Nominet to identify and shut down the site, but said no arrests were made. The police and Nominet would not name the sites which were taken down – but hinted that a future change might bring in “name and shame” publication of the culprits, as a result of the Nominet’s current review of criminal takedown rules.