iTunes scam

[Amphiprion]

Had a bunch of folks report these recently. I also just received one today. It contains a zipped attachment that most likely attaches a trojan to iTunes. The email then asks you to sign into iTunes to verify your account and be credited instantly with a $50 gift certificate--which then sends your personal account to the scammer. I, luckily, recognize this junk immediately, mostly due to the unprofessional wording used, as well as the dubiousness/randomness of it all. I haven't used my iTunes account in many years, which made it even more obvious than it already was. I just had to check my bank/credit accounts to make sure there was no illicit activity going on, though. iTunes gift cards won't ask you to do these things, anyway. So, bottom line: if you find it, delete the bugger and check your financial accounts for any unusual activity. Obviously, do not send or verify any info.

The email in question (or some variation thereof)--***don't worry, the attachment is absolutely inactive--there are no links here***:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be
credited to your account, so you can start buying music, games, video right
away.

iTunes Store.


attachment: Gift_Certificate_531.zip

 

[excuzzzeme]

LOL, It's funny if the addressee, like me, has no iTunes account and they still think they are getting something for nothing, let them lose their money and what-ever-else. Just like the idiots that have never entered a sweepstakes suddenly find themselves the Grand Prize winner only to find that they were the Grand Pansy!

In these days and ages, there is almost little excuse for falling victim to these scams. But there will always be those that can't be convinced until they have lost everything.

Sad that such a great piece of technology is abused for the advancement of crime!

 

[Willard2.0]

Thanks for the heads up, I just got this email today and did not buy it for a second. I deleted it, but if I get it again, I think I'm going to open the attachment in a live Linux, where it can do no harm, to see what it contains.

 

[Amphiprion]

Norton Internet Security (running under a VM) identified it as W32.Custam. Here's the excerpt from Symantec:

Discovered: March 18, 2010
Updated: March 18, 2010 3:53:33 PM
Type: Worm
Infection Length: 28,672 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Custam is a worm that spreads through removable drives.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload: Opens a back door on the compromised computer.

Distribution

• Distribution Level: Medium
• Shared Drives: Spreads through removable drives

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{63KLC5K0-4OPM-00WE-AAX8-17EF1D187263}

The worm then creates a mutex that may have the following name:
Feb_v_1

The worm opens a back door and attempts to connect to IRC servers on the following domains using TCP port 5900:

• feb.scorevidic.net
• feb.botsgod.info
• feb.psybnc.cz

The worm may download an updated copy of the worm when it connects to one of the IRC servers.

It then copies the following files to all USB drives present on the compromised computer:

• %DriveLetter%\Autorun.Inf
• %DriveLetter%\[RANDOM FOLDER NAME]\[SID]\[RANDOM FILE NAME].exe
• %DriveLetter%\[RANDOM FOLDER NAME]\[SID]\DeSkToP.ini

 

[Bubbles2112]

Thanks for sharing this information! I have shown my daughter so we both won't fall for this (our accounts are linked).