Intro
On a mailing list I am part of, a user had their email account hacked, and the scammer used the iTunes gift card scam. This is a quick article about the scam and how to avoid being a victim.
The scam
In the world of information security, there are many cutting edge attacks. Like the one out of Israel recently, researchers from Ben-Gurion University and the Weizmann Institute revealed a new technique for long-distance eavesdropping they call lamphone.
The lamphone attack allows anyone with a laptop, telescope and a $400 electro-optical sensor, to listen in on any sounds in a room that’s hundreds of feet away in real-time, by merely observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside.
By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers showed that a spy can pick up sound clearly enough to discern the contents of conversations or even recognize a piece of music. This is straight out of Tom Clancy.
On the opposite end are the low-tech attacks such as iTunes gift card scams. Recently, someone’s email accounts were hacked and the attacker posted on their behalf on a community mailing list I am part of. The scammer asked people to buy iTunes gift cards to which he would pay you back since he said he was away.
This scam goes back a few years and is in constant use. When the victim’s email account is hacked, the attacker will send a message to everyone in their address book.
Gift card frauds are so prevalent that the Better Business Bureau, AARP, and FTC have alerts. As to iTunes card fraud, Apple and the FTC have warnings specifically regarding scams involving App Store & iTunes Gift Cards and Apple Store Gift Cards. These scams have been going on for years where fraudsters request codes from App Store & iTunes Gift Cards or Apple Store Gift Cards.
The scam follows a standard formula where the person says they can’t make the purchase now and says they will pay you when they return.
Why iTunes gift cards
Apple Music, App Store, iTunes, and related services are major players in the global digital app and music market, with over $10B in annual revenue. With a market so huge, it is ripe for scamming.
These scams are part of extensive, sophisticated black market efforts, often via the dark web. The low-level scammers do the grunt work of communicating with the victim. Once they get the codes, the network sells them to middlemen, who, in turn, sell these codes to people on the secondary market. This entire exchange is, for the most part, untraceable and very profitable.
If the scammers try to flip the card into Bitcoin, it makes it even more untraceable. As an aside, Bitcoin is not provable untraceable. As detailed in Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction, all Bitcoin transactions are stored publicly and permanently on the network, and can’t be considered fully anonymous.
How do you avoid being a victim?
This scam is so efficient because the source is the victim’s email address book, which often contains thousands of contacts. If these are going to their friends, they will have a desire to be helpful.
Ronald Reagan popularized the saying Trust, but verify, which is the approach one needs to take here.
You can avoid being a victim by using both technical and practical approaches.
- Use common sense — does the email make sense? If you look at the text of the email communications, the writer answers in short, terse sentences and does not seem to be a native English speaker.
- Ask a few questions — the person should know some specifics, especially about their own life and family. The entire email chain is below, and I asked the scammer some specific questions he or she never replied to directly. I also used false family member names and a medical condition which he was oblivious to. Since there were no corrections to these, it screams out scam.
- Generic text — everything in the email conversation is generic. The scammer makes no mention of anything personal which would indicate it is the real person. They never refer to you by name, nor their niece by name. They say they are out of town, but do not mention a place.
- Use hard to guess password — for your email accounts, use a complex, difficult to guess password. But this is not foolproof is the password itself is compromised.
- Employ multi-factor authentication (MFA) — this is an authentication method where a user is only given access after successfully presenting two or more pieces of evidence to the authentication system. If you use Google services, you should employ more robust security for your Google account via Google Authenticator.
- Consider why they are asking for your help — the attacker below is making up silly excuses why he can’t do it himself.
- Be aware and vigilant — there are trillions of dollars moving through the Internet daily, and scammers want a piece of the action. Awareness is critical to avoid being a victim. You need to protect yourself from COVID-19 & stimulus payment scams, and also be aware of the myriad other scams. Frank Abagnale’s book Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists is an excellent primer on the topic.
- Use that even more common sense, and you are much less likely to be a victim.
The email chain with the scammer has been anonymized to protect the victim, and below is the text of the emails.
Two of the victim’s email accounts were hacked — MSN and Gmail. I refer to these as [email protected] and [email protected]
Notice the initial scam email came from the victim’s MSN account. The scammer then moved to the victim’s Gmail account.
The friend responding is Jenny Smith [email protected]
On Tue, Jun 23, 2020 at 10:15 AM Scammer <[email protected]> wrote:
Good Morning, How are you? I need a favor from you.
I need to get an iTunes gift card for my Niece, It’s her birthday today but I can’t do this now because am currently out of town. Can you get it from any store around you? I’ll pay back as soon as i am back.
Kindly let me know if you can handle this.
Thank you,
Scammer
On Tue, 23 Jun 2020 at 15:26, Jenny Smith <[email protected]> wrote:
Hi — is this for Tammy your niece? I remember when she was little.
Let me know what you need and we can help.
On Tuesday, June 23, 2020 10:35 AM, Scammer <[email protected]> wrote:
Thanks. What I need is $300 iTunes gift card($100 denomination. Three $100 cards total $300) you can buy from any store around now. Also, I need you to scratch the back of the cards to reveal the pins, then take a snap shot of the back showing the pins and have them email to me….so i can forward the cards to my Niece.
How soon can you get this done for me so i can give her a definite time to expect the picture from me?
On Tue, 23 Jun 2020 at 15:37, Jenny Smith <[email protected]> wrote:
Anything for your bro!
I can do out and buy them, or get them online….just tell me what to do.
You on vacation now?
On Tuesday, June 23, 2020 10:42 AM, Scammer <[email protected]> wrote:
Can you get the cards online for me now and have them sent to me my email address [email protected]
On Tue, 23 Jun 2020 at 15:44, Jenny Smith <[email protected]> wrote:
Sure….what is the web site to order them from?
I can do that now….just let me know the web site to order from.
Don’t want Tammy to miss her birthday present. How old is she now?
On Tuesday, June 23, 2020 10:46 AM, Scammer <[email protected]> wrote:
On Tue, 23 Jun 2020 at 15:49, Jenny Smith <[email protected]> wrote:
Ok…how much do you need?
When are you and Monica due back? We miss you in hot and humid Miami.
On Tuesday, June 23, 2020 10:50 AM, Scammer <[email protected]> wrote:
What I need is $300 iTunes gift card($100 denomination. Three $100 cards total $300) Have it sent to my email address [email protected]
On Tuesday, June 23, 2020 10:53 AM, Scammer <[email protected]> wrote:
Paris, Let me know when done.
On Tue, 23 Jun 2020 at 15:52, Jenny Smith <[email protected]> wrote:
Ok, will do that now.
Where are you guys??=
On Tue, 23 Jun 2020 at 15:59, Jenny Smith <[email protected]> wrote:
Ignatz is getting the credit card for me, so will do the order in like 2 minutes.
OMG I love Paris!!!!
Where you guys staying there?
On Tuesday, June 23, 2020 11:00 AM, Scammer <[email protected]> wrote:
Ok, Let me know when you place the order for the cards.
On Tue, 23 Jun 2020 at 16:04, Jenny Smith <[email protected]> wrote:
He is doing the order now….
He is better with computers than I am.
How are you managing doing all that walking with your cellulitis problems? Must be hard.
Ignatz just said order should be done in 90 seconds.
On Tuesday, June 23, 2020 11:06 AM, Scammer <[email protected]> wrote:
Ok, thanks.
On Tue, 23 Jun 2020 at 16:08, Jenny Smith <[email protected]> wrote:
Seriously….how are you managing doing all that walking with your cellulitis problems?
I remember when you had to miss Dave Kujan’s retirement party due to that.
On Tuesday, June 23, 2020 11:12 AM, Scammer <[email protected]> wrote:
I’m getting better now.
On Tue, 23 Jun 2020 at 16:15, Jenny Smith <[email protected]> wrote:
ok….that is great.
Ignatz just finished the order for the 3 gift cards.
Regards to the birthday girl!
On Tuesday, June 23, 2020 11:19 AM, Scammer <[email protected]> wrote:
Kindly forward the confirmation order to me.
On Tue, 23 Jun 2020 at 16:22, Jenny Smith <[email protected]> wrote:
Did you not get the confirmation?
Ignatz said it was confirmed.
On Tuesday, June 23, 2020 11:26 AM, Scammer <[email protected]> wrote:
No
On Tue, 23 Jun 2020 at 16:30, Jenny Smith <[email protected]> wrote:
He just resent it to you.
On Tuesday, June 23, 2020 11:31 AM, Scammer <[email protected]> wrote:
Let me send it to my email
On Tue, 23 Jun 2020 at 16:39, Jenny Smith <[email protected]> wrote:
Can you confirm you got it?
On Tuesday, June 23, 2020 11:40 AM, Scammer <[email protected]> wrote:
No, I didn’t get it. Can you send it to me.
On Tue, 23 Jun 2020 at 16:44, Jenny Smith <[email protected]> wrote:
Ignatz said he sent it 2 times to your email.
He said he confirmed on the Apple.com web site that it was sent to your email.
I know that the French are notorious for spying on people. Do you think the French government may be listening to our email chat and they may have taken the $300 in gift card codes?
On Tuesday, June 23, 2020 11:45 AM, Scammer <[email protected]> wrote:
No, I didn’t get it. Can you forward it to me?
On Tue, 23 Jun 2020 at 16:49, Jenny Smith <[email protected]> wrote:
I keep forwarding to you.
Seriously….could the French be hacking your email?
On Tuesday, June 23, 2020 11:50 AM, Scammer <[email protected]> wrote:
What do you mean?
On Tue, 23 Jun 2020 at 16:55, Jenny Smith <[email protected]> wrote:
Ignatz printed out the the confirmation numbers for the 3 gift cards.
Since email is not working, let me call you and give you the numbers.
What is your cell number there?
Or the number of your hotel.
On Tuesday, June 23, 2020 11:55 AM, Scammer <[email protected]> wrote:
I don’t have access to my phone here, Email the numbers to me.
On Tue, 23 Jun 2020 at 16:57, Jenny Smith <[email protected]> wrote:
What is the number of your hotel?
I can call you there.
On Tuesday, June 23, 2020 11:59 AM, Scammer <[email protected]> wrote:
I’m not available on Phone, Send the numbers of the cards to me via email
On Tue, 23 Jun 2020 at 17:01, Jenny Smith <[email protected]> wrote:
It is 6:00PM there in Paris.
When do you expect to be back in your hotel.
I can call you then with the information for the 3 gift cards.
On Tuesday, June 23, 2020 12:03 PM, Scammer <[email protected]> wrote:
Send the code number of the cards, So i can forward them to her ASAP
On Tue, 23 Jun 2020 at 17:04, Jenny Smith <[email protected]> wrote:
What time are you due back in your hotel?
On Tuesday, June 23, 2020 12:06 PM, Scammer <[email protected]> wrote:
Later tonight, Kindly send them now so i can forward them to her.
On Tue, 23 Jun 2020 at 17:11, Jenny Smith <[email protected]> wrote:
Let me ask you, if you can email her, why couldn’t you have ordered the gift cards yourself?
On Tuesday, June 23, 2020 12:15 PM, Scammer <[email protected]> wrote:
I don’t have access to my online banking. If not that i would have bought the card myself for her online.
On Tue, 23 Jun 2020 at 17:18, Jenny Smith <[email protected]> wrote:
You do not need access to your online banking, just your credit card number.
On Tuesday, June 23, 2020 12:24 PM, Scammer <[email protected]> wrote:
I’m not with my credit card, Did you purchase the cards
On Tue, 23 Jun 2020 at 17:28, Jenny Smith <[email protected]> wrote:
Yes, 3 x $100 cards.
See attached screen shot……
On Tuesday, June 23, 2020 12:34 PM, Scammer <[email protected]> wrote:
The attachment you sent doesn’t contain an iTunes gift card.
On Tue, 23 Jun 2020 at 17:36, Jenny Smith <[email protected]> wrote:
This is so weird.
I think someone is hacking this account.
Let me call you in the hotel when you get there.
Then you will have the card codes once and for all.
Since Tammy is in California, it is only 9:30 in the morning there and there is plenty of time to get her the codes.
thanks!
Speak later….send me your phone number at the hotel.
On Tuesday, June 23, 2020 12:37 PM, Scammer <[email protected]> wrote:
Ok, Send the code number of the three cards write them out.
On Tuesday, June 23, 2020 1:10 PM, Scammer <[email protected]> wrote:
I just did if you can’t reach me through phone then send the PIN number of the cards via email
On Tue, 23 Jun 2020 at 5:39 PM, Jenny Smith <[email protected]> wrote:
ok, what hotel are you at and what is the phone number?
On Tue, 23 Jun 2020 at 18:15, Jenny Smith <[email protected]> wrote:
That phone number still does not work.
Please send hotel number.
On Tuesday, June 23, 2020 1:25 PM, Scammer <[email protected]> wrote:
That’s weird.
On Tue, 23 Jun 2020 at 18:28, Jenny Smith <[email protected]> wrote:
This happens.
Let me know when you in your hotel.
Send the number of the hotel.
And we can get her the numbers…..
On Tuesday, June 23, 2020 1:32 PM, Scammer <[email protected]> wrote:
I’m in the hotel already
On Tuesday, June 23, 2020 1:42 PM, Scammer <[email protected]> wrote:
Send the code numbers of the cards, Kindly let me know if you don’t want to send the code number of the cards to me.
On Tue, 23 Jun 2020 at 18:41, Jenny Smith <[email protected]> wrote:
What is the phone number and what room?
On Tue, 23 Jun 2020 at 18:45, Jenny Smith <[email protected]> wrote:
I have the cards….since you are in the hotel….just let me know the phone number.
I will call you so you do not have to pay for an international call.
On Tuesday, June 23, 2020 1:46 PM, Scammer <[email protected]> wrote:
I told you earlier the phone is not connecting, Email the cards to me.
On Tuesday, June 23, 2020 1:50 PM, Jenny Smith <[email protected]> wrote:
What is the name of the hotel?
I can use a VPN connection to make a VoIP secure call, guaranteed to work.
On Tuesday, June 23, 2020 2:26 PM, Scammer <[email protected]> wrote:
Still waiting. For the cards
On Tue, 23 Jun 2020 at 19:19, Jenny Smith <[email protected]> wrote:
Any update?
On Tue, 23 Jun 2020 at 19:27, Jenny Smith <[email protected]> wrote:
Still waiting for your hotel phone number.
On Tuesday, June 23, 2020 2:29 PM, Scammer <[email protected]> wrote:
I gave you the number already which you said was not connecting. Email the Pin number of the cards to me.
On Tue, 23 Jun 2020 at 19:38, Jenny Smith <[email protected]> wrote:
That phone number is to a cell phone in area code 201,which is New Jersey.
While the Garden State is the Paris of the US, it is not a hotel number in Paris.
Please send correct number so I can get you the 3 codes.
On Tuesday, June 23, 2020 2:39 PM, Scammer <[email protected]> wrote:
You can’t reach me on phone
On Tue, 23 Jun 2020 at 19:41, Jenny Smith <[email protected]> wrote:
Why not?
Every hotel has a phone.
On Tuesday, June 23, 2020 2:42 PM, Scammer <[email protected]> wrote:
I don’t know.
On Tue, 23 Jun 2020 at 7:44 PM, Jenny Smith <[email protected]> wrote:
Can I call you via Skype or WhatsApp then?
On Tuesday, June 23, 2020 2:48 PM, Scammer <[email protected]> wrote:
Ok
On Tuesday, June 23, 2020 2:49 PM, Jenny Smith <[email protected]> wrote:
ok, what is the phone #?
Ben Rothke works in information security at Tapad. He writes book reviews for the RSA blog and is a founding member of the Cloud Security Alliance and Cybersecurity Canon.
{Matzav.com}
A couple of things:
1) Technology to listen in on conversations by picking up vibrations of visible objects has existed for a while. John Gotti was finally convicted about thirty years ago when the govt. eavesdropped on conversations by detecting vibrations from a window at a significant distance.
2) Scammers can pose a professionals who need an “assistant”. A help-wanted ad on a college bulletin board asked for a “Doctor’s general assistant” and one of the tasks was to cash checks and buy items. The pay offered was very attractive for a college kid. A large check arrived, and the request that followed was to buy GameStop gift cards with a few hundred dollars from the check and then scratch off the cards and send photos of the numbers to an email address. The remaining cash from the check could be kept as payment.
Fortunately, it was sniffed out as a scam before any money changed hands, and (as expected) the fat check turned out to be counterfeit. The police were were notified, but they were not interested in helping catch the scammer and refused to even take a report.
BE AWARE – even if you deposit a check and it then clears you will still be liable if it turns out to be counterfeit and the bank will charge you the full amount of the check. NEVER enter an agreement where an unknown person asks you to buy gift cards and email them the PINs, and even if someone you know asks you to do so, be VERY suspicious as it’s probable they’ve been hacked and it’s a scammer who’s contacting you. At the very least, call the friend and verify it’s them (and make sure it’s them via recognizing their voice, asking for some info a stranger wouldn’t know or the like – scammers can also hijack phone numbers).
if people would listen to the rabonim and not waste their time on the shtus of the internet, than they would not have to do the worry of being a scammer victim.
maybe if the oilam would learn more, they would know sugya of chabdehu v’chashdehu.
why they to send these monies to people they do not know means they never learnted this chazal.
if you learn gemara is can even protect you from bad email people.
gut shabbos.