Last week, a member of the PassaicJews mailing list had their email account hacked. The attacker then sent a message to everyone in the person’s address book. For many people, their address book can easily have over 5,000 entries.
That single address entry to PassaicJews actually went to over 2,700 members. So an account compromise like that can easily reach tens of thousands of people.
In this case, the attacker used a gift card scam. The text of the initial email was:
Good Morning, How are you? I need a favor from you.
I need to get an iTunes gift card for my Niece, It’s her birthday today but I can’t do this now because am currently out of town. Can you get it from any store around you? I’ll pay back as soon as i am back.
Kindly let me know if you can handle this.
Thank you,
Sender’s Name
These scams prey on people’s good natures. And as people are often quick to help, they will immediately reply to a friend in need. I work in information security and have seen such scams countless times. I decided to play along and responded to the person. To which they replied:
Thanks. What I need is $300 iTunes gift card ($100 denomination. Three $100 cards total $300) you can buy from any store around now. Also, I need you to scratch the back of the cards to reveal the pins, then take a snap shot of the back showing the pins and have them email to me….so i can forward the cards to my Niece.
How soon can you get this done for me so i can give her a definite time to expect the picture from me?
What is blatantly apparent is that both of these emails lack any sort of personalization. They are entirely generic. The person is also quite demanding for a person in need.
While Willie Sutton never really said he robbed banks because that’s where the money is, in 2020, money is undoubtedly in internet scams.
Gift card frauds are so prevalent that the Better Business Bureau, AARP, and FTC have alerts. As to iTunes card fraud, Apple and the FTC have warnings specifically regarding scams involving App Store & iTunes gift cards and Apple Store gift cards. These scams have been going on for years where fraudsters request codes from App Store & iTunes gift cards or Apple Store gift cards.
This email scam follows a standard formula where the person says they can’t make the purchase now and says they will pay you when they return.
Why iTunes Gift Cards
Apple Music, App Store, iTunes, and related services are significant players in the global digital and music markets, with over $10B in annual revenue. With a market so huge, it is ripe for scamming.
These scams are part of extensive, sophisticated black market efforts, often via the dark web. The low-level scammers do the grunt work of communicating with the victim. Once they get the codes, the network sells them to middlemen, who in turn sell these codes to people on the secondary market. This entire exchange is, for the most part, untraceable and very profitable.
If the scammers try to flip the card into Bitcoin, it makes it even more untraceable. As an aside, Bitcoin is not provably untraceable. As detailed in Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction, all Bitcoin transactions are stored publicly and permanently on the network, and can’t be considered fully anonymous.
How Do You Avoid Being a Victim?
This scam is so efficient because the source is the victim’s email address book, which often contains thousands of contacts. If these are going to their friends, they will have a desire to be helpful.
Ronald Reagan popularized the saying “trust, but verify,” which is the approach one needs to take. Anytime someone asks you for money on the internet or via email, you have to be extremely suspicious. And being suspicious will save you from being yet another victim.
In the Orthodox world, millions of dollars have been lost to affinity scams. You don’t have to be so affluent to be a target, and then the victim.
You can avoid being a victim by using both technical and practical approaches.
Use common sense: Does the email make sense? If you look at the text of the email communications, the writer answers in short, terse sentences and does not seem to be a native English speaker. You can see the entire email exchange at https://bit.ly/2NEqXbH
Travel during a pandemic: The scammer eventually says he is in Paris. Really, during a pandemic? How did they even get there during COVID? That red flag alone should put the kibosh on this.
Ask a few questions: The person should know some specifics, especially about their own life and family. The entire email chain is below, and I asked the scammer some specific questions he or she never replied to directly. I also used false family member names and a medical condition which he was oblivious to. Since there were no corrections to these, it screams out scam.
Passwords: For your email accounts, use a complex, difficult to guess password. But this is not foolproof if the password itself is compromised.
Employ multi-factor authentication (MFA): This is an authentication method where a user is only given access after successfully presenting two or more pieces of evidence to the authentication system. If you use Google services, you should employ more robust security for your Google account via Google Authenticator.
Why: Consider why they are asking for your help—the attacker below is making up silly excuses why he can’t do it himself.
Use that and even more common sense, and you are much less likely to be a victim.
