MobileMe users fall prey to phishing scam

A recent phishing scam targeting users of Apple Inc.'s .Mac and MobileMe online services has successfully duped hundreds into divulging credit card and other personal information, a security company said Thursday.

According to Dan Clements, the president of CardCops, the identity protection division of California-based Affinion Group Inc., the phishing campaign scammed between 100 and 200 people with mac.com addresses in just one day.

[ Is MobileMe suited to iPhone pros? Tom Yager weighs in on the Ahead of the Curve blog. ]

CardCops, which uses automated bots and human investigators to scour the Internet's underbelly -- the chat rooms, sites, and message forums frequented by cybercriminals -- uncovered a stash of records on a server that hackers use to house stolen information.

"We found 20 different files parked on the server," said Clements, "each file with two or three or four, up to 20, profiles." Computerworld, which was allowed to view the profiles, verified that the records, or "full profiles" as Clement dubbed them, included full names, mailing addresses, credit card numbers, card security numbers, birthdates, mother's maiden names, and e-mail addresses and passwords.

"Cumulatively, there were about 300 profiles collected in that one day," Clements said. "And 100 to 200 were mac.com addresses."

After some additional investigation -- which included calling many of the victims to verify that they'd fallen for the ploy -- CardCops pieced together the crime. "We realized that it was a phishing attack, of course, but also that these phishers timed it with an Apple event."

Clements referred to the recent migration Apple conducted for subscribers of its older .Mac online service to MobileMe, the successor that launched just over a month ago. "It looks like that raised the conversion rate of their captures," he added, explaining the phishers' success rate in tricking people into giving up credit card and other confidential information.

Earlier this week, Macworld, a Computerworld sister publication, reported a phishing attack using messages masquerading as Apple's to ask MobileMe users to re-enter their credit card information because of a billing problem.

The message was convincing. "Some of the users who we talked to were very sophisticated users. But they still fell for this attack," said Clements.

Researchers at Trend Micro Inc. agreed that the attack was slick. In a blog post Tuesday, Trend's Jovi Umawing said the message "looks clean and sleek, the text courteous and professional, hardly the kind that instantly gives away [it] away as a fake or scam." He also noted that some of the links in the bogus mail actually lead to legitimate Apple pages.

Clements pinned some of the responsibility on users' trust in Apple. "Absolutely the case," he said when asked if Apple customers' faith in the Cupertino, Calif. company was a factor in getting so many to divulge information.

The MobileMe scam wasn't the first time that phishers have used the Apple brand to fake out consumers. In May, criminals hit iTunes users with sophisticated identity theft attacks, again claiming that credit card problems required them to re-enter information to update their accounts.

Computerworld is an InfoWorld affiiliate.