SCAM OF THE WEEK: "The Boss Needs iTunes Gift Cards For Customers... NOW"



iTunes_cardIf you ever wondered if those iTunes gift card phishes really work, see the below email exchange.

Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.

All told poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!

Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily.

Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted.com" and was spoofed by the bad guys. 


From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:20 AM
To: Emily Walker <ewalker@distracted.com>
Subject: Respond

Let me know when you are available. There is something I need you to do.
I am going into a meeting now with limited phone calls, so just reply my email.

John Carpenter

Sent from my iPad

-----------------------------

Subject: RE: Respond
Date: 6 September 2018 at 21:24:35
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

Did you intend to send this to me?

Emily Walker
Project Manager

Sent from my iPhone

-----------------------------

From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:28 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond

Yes Emily, can you get this done ASAP? I need some couple of gift cards.
There are some listed clients we are presenting the gift cards. How
quickly can you arrange these gift cards because i need to send them
out in less than an hour. I would provide you with the type of gift
cards and amount of each.

 

Sent from my iPad
---------------------

Subject: RE: Respond
Date: 6 September 2018 at 21:48:03
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

Can do now. I’ll put on my credit card. Send me the following:

Type
Number
Amount

Emily Walker
Project Manager

 

Sent from my iPhone
-------------

From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:52 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond


The type of card I need is Apple iTunes gift cards. $100 denomination,
I need $100 X 20 cards. You might not be able to get all in one store,
you can get them from different stores. When you get the cards, Scratch
out the back to reveal the card codes, and email me the codes. How soon
can you get that done? Its Urgent.

Sent from my iPad

--------------------------


Subject: RE: Respond
Date: 6 September 2018 at 21:55:17
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

I can do now. Do you want me to do online instead?

Emily Walker
Project Manager

 

Sent from my iPhone
-------------------------


On Sep 6, 2018, at 11:57 AM, John Carpenter <officeexec.mails@inbox.lv> wrote:

I need you get physical card from the store

Sent from my iPad

---------------------------

Subject: Re: Respond
Date: 6 September 2018 at 22:01:32
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
On my way to store now. What time need by?

Sent from my iPhone

---------------------


On Sep 6, 2018, at 12:05 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:

As soon as you can. I will await codes

Sent from my iPad


--------------------------

Subject: Re: Respond
Date: 6 September 2018 at 22:13:37
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
If choice between the two do you want $15 or $25?

Sent from my iPhone

---------------------


On Sep 6, 2018, at 12:16 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:

$100

Sent from my iPad

----------------

 

Subject: Re: Respond
Date: 6 September 2018 at 22:51:58
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

 

Just texted you the first 11 codes. Heading to another store now. 5 and 6 limit per store.

Sent from my iPhone

------------------------

On Sep 6, 2018, at 12:54 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:

Email the codes to me

Sent from my iPad

---------- 

End of email thread. One hour and twenty five minutes later, the bad guys had 2 thousand dollars in iTunes gift cards in their hands and Emily had charged all of them on her personal credit card. OUCH!

I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:

The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, There is a massive campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the boss!
Can Your Domain Be Spoofed? 
 
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
 
KnowBe4 can help you find out if this is the case with our free Domain Spoof Test

One email from us to you shows if your email server is configured correctly. To enter just go here fill out the form, it's quick, easy and often a shocking discovery. 

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc

NewStu.png

 


Can hackers spoof an email address of your own domain?

DSTAre you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.

Try To Spoof Me!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/domain-spoof-test/



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews