G+_Rud Dog Posted June 5, 2018 Share Posted June 5, 2018 Got an email yesterday from Apple support informing me I had made a purchase for a game. Now I know I didn't but thought I would share a picture of the email with the community just in case this is the beginning of some sort of scam. Link to comment Share on other sites More sharing options...
G+_Tailsthefox Pelissier Posted June 6, 2018 Share Posted June 6, 2018 I got those an few times wean i moved to new computers; but this sound's fishy. Link to comment Share on other sites More sharing options...
G+_Rickbearcat Posted June 6, 2018 Share Posted June 6, 2018 Alright, so what would opening the PDF document do? Or the word document? Can these be opened in a "safe" environment? Like in a sandboxed PC or Mac? I'd like to know the rest of the story. We obviously know this is a fishing or malware attack. Link to comment Share on other sites More sharing options...
G+_Travis Hershberger Posted June 6, 2018 Share Posted June 6, 2018 That domain name (purchase-app12.com) is a dead giveaway that this did not originate from Apple, for those that didn't already realize that. Rickbearcat I'd only open them on an isolated VM. No network connectivity at all, and also assume that whatever VM I opened it on is now completely compromised. Link to comment Share on other sites More sharing options...
G+_John D. Hawkins Posted June 6, 2018 Share Posted June 6, 2018 Unless you have forensic tools to backtrack to the origination of this message and then someway of prosecuting the people you find at the other end; I see nothing good that can come out of going any further with that message aside from just simply deleting it and moving on. Link to comment Share on other sites More sharing options...
G+_Paul Hutchinson Posted June 6, 2018 Share Posted June 6, 2018 Rickbearcat if the recipient has an old outdated PDF viewer then JavaScript embedded in the PDF could be run without asking permission and infect the recipients PC with malware. It's similar with Word documents, old versions of Word could run VBA code without asking delivering the infection. Yes they can be opened and forensically examined safely in a safe environment. This type of phishing scam against Apple users has been going on at least since 2015. Apple support has a page about them that includes an address for submitting the email to them for analysis. support.apple.com - Identify legitimate emails from the App Store or iTunes Store Link to comment Share on other sites More sharing options...
G+_Rud Dog Posted June 6, 2018 Author Share Posted June 6, 2018 Rickbearcat I didn't want to open either one based on the bait it appeared to be. I don't have any setups for testing the attachments and would also like to know if they are problematic. Maybe I can scan them but then how do you scan an attachment? Link to comment Share on other sites More sharing options...
G+_Rud Dog Posted June 6, 2018 Author Share Posted June 6, 2018 BTW it was interesting this email was received after working on resetting my wife's iTunes account password. Odd timing or was it? Link to comment Share on other sites More sharing options...
G+_Rickbearcat Posted June 6, 2018 Share Posted June 6, 2018 Rud Dog That is a very good question. Could you have been targeted somehow to receive a message like that? Link to comment Share on other sites More sharing options...
G+_Akira Yamanita Posted June 6, 2018 Share Posted June 6, 2018 These drive by scams are common and I’ve seen an uptick of them at work. (I work for an MSP.) Report it and move along. If you’re really curious about the attachments, upload them to virustotal.com. Link to comment Share on other sites More sharing options...
G+_William L. DeRieux IV Posted June 6, 2018 Share Posted June 6, 2018 Travis Hershberger Plus purchase-app12.com has no ICANN registrar information (no whois information). Very phishy.....emails coming from an unregistered domain. ( And more blatantly obvious....is not registered by Apple) Link to comment Share on other sites More sharing options...
G+_Rud Dog Posted June 6, 2018 Author Share Posted June 6, 2018 Akira Yamanita Saving the attachments to my computer is not an option which is in line with not wanting to open them either. Posting them here was more a share-with-community kind of thing. The response was great and interesting from all. Link to comment Share on other sites More sharing options...
G+_David Peach Posted June 6, 2018 Share Posted June 6, 2018 Rud Dog The way I handle these things is I ask a "friend" if I can borrow his computer to check my mail. :-) Link to comment Share on other sites More sharing options...
G+_Rud Dog Posted June 6, 2018 Author Share Posted June 6, 2018 David Peach Way to think OSTB. Now have to go back and unfriend him/her on all my social media accounts. Link to comment Share on other sites More sharing options...
G+_Herminio Gonzalez Posted June 6, 2018 Share Posted June 6, 2018 Look at the sender email address. It comes from some domain called purchase-app12.com. That does not sound like Apple. You could check further and google that domain name. Link to comment Share on other sites More sharing options...
G+_William L. DeRieux IV Posted June 7, 2018 Share Posted June 7, 2018 Herminio Gonzalez It was already suggested and the evidence presented. (It's not Apple, and it is fake....an attempt to phish). Link to comment Share on other sites More sharing options...
Recommended Posts