Beware New Phishing Emails Targeting iTunes Store Users

Phishing emails are nothing new. You probably get them from people pretending to be banks, utility companies, delivery companies, stores and more. But phishing emails pretending to be from Apple aren’t that common.

I got one today; and it’s the first time I’ve seen this one. It tells me that my “iTunes ID happens to expire in less than 48H.”


First, there’s no such thing as an “iTunes ID;” it’s an Apple ID. Second, they never expire. You can notice, if you’re a native English speaker, that the grammar is clunky: “happens to expire,” “It is imperative to conduct an audit of your information is present,” and so on.

Apple will never send an email like this. To be sure, hover your cursor over the link – that says “Check Now” in this email – and you’ll see where the link is going. (I’ve blurred part of the domain name of the unfortunate company whose web site was compromised.)


So what happens if you do click that link? It goes to a web page on a compromised server which redirects to a very long domain which almost looks like it could be real, because it begins with (I’ve obfuscated the actual domain in the URL, and removed some of the many seemingly random characters in the middle): […]

That server is currently not responding; presumably because so many people clicked links in these emails.

What the cyber-criminals are trying to do is grab your Apple ID and password. With it, they can purchase stuff from the iTunes Store, at least until they hit the limit of your credit card, or your account balance if you don’t have a card linked to the iTunes Store account. What good would it be for them to buy things from the iTunes Store? Most likely, they’ll buy apps made by certain companies who have paid them to conduct this fraud. So those companies will get sales (minus Apple’s 30% cut), and you’ll get scammed.

But with that password they can also access your iCloud email (if you use iCloud for email), and other data.

Be smart; think carefully when you get emails like this.