Phishing Email - Your Apple ID was just used to download xxx - examined

Sample Phishing Email - Your Apple ID was used to download

Recently the "Your Apple ID was used to download xxx" email has come in many flavors, and if it matches the items below, then there a good chance it's a phishing email. But I'll walk you through a process on how to tell for sure. This crafty email has been making it's way through the big 3 email (google/outlook/yahoo) email spam filters. For a background on phishing email read on wikipedia.

What to do? Report them, hover over the iforgot.apple.com link (in your email) and match the URL and click on the match link to report them as phishing to Google.

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.pharus.com
2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=aruba.it
3. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.sumanakeerthipiriwena.com
4. https://www.google.com/safebrowsing/report_phish/?hl=en&url=haroldmkingsley.com
5. https://www.google.com/safebrowsing/report_phish/?hl=en&url=amarturismo.com.br
6. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.azizanali.com
7. https://www.google.com/safebrowsing/report_phish/?hl=en&url=lovingcoco.com
8. https://www.google.com/safebrowsing/report_phish/?hl=en&url=langkawiswee.com
9. https://www.google.com/safebrowsing/report_phish/?hl=en&url=tradeajeet.com
10. https://www.google.com/safebrowsing/report_phish/?hl=en&url=trypromocodes.com 

‏

Subject: Your Apple ID was just used to download Candy Crush Saga or Grudge Match (2014) or "Falls Away" by Childhood or Cado HD $5.99 or Lunar Module 3D or Camera Plus Pro $2.99 or StationDigital $9.99 or Summer Games 3D, v1.2 (4+) $8.99  ... from the App Store on a computer or device that had not previously been associated with that Apple ID. Your receipt No.1145624532

Your Apple ID was just used to download Candy Crush Saga or Grudge Match (2014) or  "Falls Away" by Childhood or Lunar Module 3D or Camera Plus Pro $2.99 or StationDigital $9.99 or Camfrog PRO 6.99$ or Summer Games 3D, v1.2 (4+) $8.99  If you initiated this download, you can disregard this email. It was only sent to alert you in case you did not initiate the download yourself. If you did not initiate this download, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance. Regards, Apple TM and Copyright ý 2013 Apple Inc. 1 Infinite Loop, Cupertino, CA 95014, United States. All rights reserved / Keep Informed / Privacy Policy / My Apple ID

How to tell this is a Phishing email ?

1. Is email is from you to you, then it's phishing.
2. Hover over all links in email, if it's not from the apple.com site then forget it.
   
   
   In above example, all the links and source images seem to be from Apple website except the iforgot.apple.com link.
   
   You can test this in the above example, since I crafted that from source HTML of the phishing email. Try it, hover over links to examine the source URL. Note: I have re-coded iforgot.apple.com to report pharus.com as phishing site to Google.
   
   In the original phishing email, hovering over iforgot.apple.com pointed to spam site pharus.com or www.sumanakeerthipiriwena.com. The correct link when you hover over iforgot.apple.com should be http://iforgot.apple.com.
   
   
   
   Reading email in Outlook 2013 generated pop-up "Click to follow link"
   
3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

For this phony email, well look at the top 25 lines of the message, known formally as the "message header".




At line 23 you have Return-Path: hosting.windows@aruba.it
and is suspect because domain was registered in Italy (.it) and nothing to do with Apple.

A geo location of the ip address confirms it comes from Italy using http://www.ipligence.com/geolocation
Your IP address is 62.149.133.122
City: Soci
Country: Italy
Continent: Europe

Aruba.it is being investigate for a Paypal phishing and has reported links to Italian Mafia.

These are valid return-paths for Apple 

• Return-Path: do_not_reply@apple.com 
• Return-Path: bounces@insideicloud.icloud.com 

Why look at "Return-Path"? When the e-mail is put in the recipient's mailbox, a new mail header is created with the name "Return-Path:" containing the address on the MAIL FROM command. So it's a quick hit to determine authenticity.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these linksHover over the iforgot.apple.com link and match the URL and click on the match link to report them as phishing to Google.

1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.pharus.com
2. https://www.google.com/safebrowsing/report_phish/?hl=en&url=aruba.it
3. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.sumanakeerthipiriwena.com
4. https://www.google.com/safebrowsing/report_phish/?hl=en&url=haroldmkingsley.com
5. https://www.google.com/safebrowsing/report_phish/?hl=en&url=amarturismo.com.br
6. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.azizanali.com
7. https://www.google.com/safebrowsing/report_phish/?hl=en&url=lovingcoco.com
8. https://www.google.com/safebrowsing/report_phish/?hl=en&url=langkawiswee.com
9. https://www.google.com/safebrowsing/report_phish/?hl=en&url=tradeajeet.com
10. https://www.google.com/safebrowsing/report_phish/?hl=en&url=trypromocodes.com

If you don't see your URL here add a comment below.

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx