Lisa Vaas, writing for the Sophos Naked Security blog, is sounding the alarm over an iTunes malware scam that poses as a $50 iTunes gift certificate.“Criminals are banking on post-Thanksgiving turkey-eating coma and Black Friday shopping frenzy in the US to trick American internet users to click to through to malware posing as a $50 iTunes gift certificate,” Lisa Vaas blogs for Sophos, a prominent name in software security today, including Mac OS X security.
It’s not Sophos’ original finding, though. It was actually the research team from German email security provider eleven who broke the news about these fake emails allegedly containing vouchers to the iTunes Store.
However, Sophos takes it upon itself to warn iTunes subscribers that “The attachment [included in said emails] is a ZIP file containing malware. (Sophos detects this file as Mal/BredoZp-B.),” Vaas writes.
“As the holidays ramp up, so do scams like this. It's understandable that cash-strapped holiday shoppers might be click-happy enough to try to lighten their holiday with $50 worth of free music, video and games,” the blogger adds. “Avoiding click-candy like this phony iTunes certificate is one way to keep cyber-safe over the holidays.”
Faithful customers of Apple’s digital distribution service are being advised to beware of such bogus forms and to avoid falling for urgent, personalized warnings.
Adapted from a list posted by USA Today, Sophos lays out the following methods to protect against this scam, and others like it:
* Beware bogus forms. Beware emails and pop-up messages that ask you to type your account username and password, credit card number or personal information such as Social Security number and date of birth. Legitimate organizations don't solicit sensitive information via email.
* Don't blindly believe urgent, personalized warnings. Phishers often claim that you need to take urgent action with official organisations such as IRS (taxation), Social Security or the Department of Motor Vehicles.
* Don't fall for that cute-baby photo. Even if you recognise the sender's name, don't open attachments. Distrust all email until and unless you've verified that the sender actually intended you to get the message and can vouch for its content.