14 DAY TRIAL // Security researchers from Finnish antivirus vendor F-Secure warn about a wave of pharma spam emails masquerading as official communications from Apple's AppStore.
The emails bear a subject of "ID:[random number] Apple AppStore Order Cancellation" and come with spoofed headers to appear as if they from an [email protected] address.
The messages were created using a real Apple AppStore emails template, but all links inside have been replaced with ones leading to rogue online pharmacies.
"Dear Apple AppStore Customer, Your Order ID:[random numer] (order information) has been successfully canceled. You can also contact Apple AppStore Customer Service or visit online for more information.
"Visit the Apple AppStore to purchase Apple hardware, software, and third-party accessories. To purchase by phone please call 1-800-MY-APPLE," the emails read.
There are two links in the messages, one on the random ID number and one on "order information." The emails are designed to make recipients ask themselves questions like why was his order cancelled or why was there an order in the first place.
In both cases users will likely click on the links to obtain more information, only to find themselves taken to a rogue pharmacy website selling prescription drugs.
According to F-Secure researchers, this technique is more common in phishing attacks or malware distribution campaigns.
"Turns out that the link leads to a drugstore site. Odd. We are expecting it go to a fake iTunes/AppStore page, in which the recipient would be prompted to input his account details. But that didn't happen," they write.
A similar spam run currently making the rounds uses the same technique, but generates emails purporting to come from YouTube.
If this is part of the same operation, the links in the email will take users through redirect scripts hosted on legitimate compromised websites. This might decrease the ability of some anti-spam filters to block the emails.