Apple iTunes and Apple ID Hijacking

I received in an email recently a PDF attachment of an ‘official’ looking iTunes receipt from Apple. Now, based on the grammar alone, it’s pretty much safe to assume that this receipt is not genuine. The goal is to get you to log into your iTunes account so that the scammers can then take over your account as well as your Apple ID and have full access to any backups or be able to purchase merchandise using your funds. I was curious as to how they were going to do this so I opened up the PDF file in a hex editor to take a look under the hood so to speak. Why didn’t I open it up in Adobe Reader you may ask? Well, some specially crafted PDF’s will actually download malware to your computer just by viewing the PDF file, and seeing as I didn’t feel like cleaning up my machine, opening it up in a hex editor is the safe way to view what’s happening.

So this is the PDF that was sent to my email account:


If you read through the receipt, the tell tale signs of a ‘phishing’ message, that is, scammers trying to gain access to your account, is as follows.

  • Dear Customer – first of all, if it truly is an iTunes receipt, they would know your account by name and not use the generic.
  • …..make a payment via iTunes Store – it’s a purchase, not a payment
  • This is detail your activity – the poor grammar alone is more than enough to convince me, as it should you, that your iTunes account, and most importantly, your Apple ID,  WILL be stolen if you follow the instructions within the PDF file.

No need to point out every little detail, the above alone should have convinced you by now that they are attempting to steal my login credentials. So lets ‘forensically’ exam this file to see what they are attempting to do. As mentioned, I loaded up the PDF file into a hex editor so I can view the raw bytes, such as the file would be stored on your hard drive. One thing that really pops out at me is the PDF file was actually created in MS Word! That’s right, some scammer is using MS Word to create fake iTune receipts! And the best part is, the Word Document also embedded the authors name so technically, I know who created this document. The proof is below:


As you can see by looking at the raw data the author is listed as jayz johansson, (please note that there really is no way of knowing if this person exists or if this is a fake account so please don’t pick up the pitch forks and go after a Mr Johansson)

But as you can also see, the PDF was created in MS Word! I highly doubt Apple creates their iTunes receipts in Word considering the thousands of purchases made daily, I’m sure they’re using an automated back end connected to a pretty sweet database, but I digress. So let’s dig a bit deeper and see what else we can find.


So after a bit of digging, this is where the link would have taken you if you clicked on the ‘Verify Your Account Now‘ link,  https://se……net/lZCqA   (Note: I purposely zero’d out some of the bytes as I did not want anyone accidentally entering the link into a web browser and possibly having their computer compromised.) I like that fact that the link is too a secured server; nothing like protecting you while stealing your information!

I looked up the owner of the web site in question and I can almost guarantee that a Mr Johansson is not responsible for this, unless he currently lives in Japan, as that is where the email link would have taken you! And the name of the site owner is in fact, Japanese.

So as you can see, it’s very important to pay attention to any emails claiming to come from a company, such as Apple, that you may actually have an account with. If you are ever in doubt as to whether or not the email is a legitimate business response, instead of clicking on the link in the email, open up the App Store, or iTunes, and access your account that way. You will be able to review any recent purchases and verify if the email in question is actually real, or just really good at stealing your accounts.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s