iTunes leakage or email address harvest?
I received a suspicious looking email today, claiming someone had made a purchase in Russia using my iTunes ID. A trip to iTunes revealed no such purchase. Nevertheless, I changed my password again, as I suspect this false claim might be the result of an iTunes leakage or someone harvesting email address in the hope that they are being used as iTunes IDs.
The email headers, slightly redacted, is as follows:
Return-Path: <email@example.com> Received: from graveyard4-1.ilait.eu (graveyard4-1.ilait.eu [126.96.36.199]) by <final MTA> with ESMTP id t2H6sMtR067259 for <my iTunes ID>; Tue, 17 Mar 2015 07:55:26 +0100 (CET) (envelope-from firstname.lastname@example.org) Message-Id: <201503170655.t2H6sMtR067259@final MTA> Received: from smtp1-3.ilait.se (smtp1-3.ilait.se [188.8.131.52]) by graveyard4-1.ilait.eu (Postfix) with ESMTPS id C18CC50D22D for <my iTunes ID>; Tue, 17 Mar 2015 06:30:19 +0000 (UTC) Received: from msnavision (unknown [184.108.40.206]) by smtp1-3.ilait.se (Postfix) with ESMTPA id EBDC21A3A9 for <my iTunes ID>; Tue, 17 Mar 2015 06:29:15 +0000 (UTC) From: "iTunes Store" <email@example.com> Subject: Your receipt No.3489120981 To: <my iTunes ID> Content-Type: multipart/alternative; boundary="KXu9U3h0ROPL1GpKUmbqEP53=_NHapPmTs0" MIME-Version: 1.0 Date: Tue, 17 Mar 2015 11:59:48 +0530
The originator is apparently
firstname.lastname@example.org. The DNS domain
flamslatt.se is valid, but I doubt Apple would use anything other than their own DNS domain name. The receiver was simply the email address, not something like
"First name Last name" <email@example.com>. It’s difficult to tell what Apple would do.
Message-Id header was added by the receiving MTA, not by any of the other MTAs along the way, and certainly not by the originator. The timezone from the
Date header, suggests India. There’s a delay of approx. 25 minutes when comparing the received timestamps along the way.
Nah, this email isn’t legit.
The plain text contents of the email is the following, slightly redacted:
--KXu9U3h0ROPL1GpKUmbqEP53=_NHapPmTs0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable - This mail is in HTML. Some elements may be ommited in plain text. - Order Number: 3489120981 Thank you for buying the following product: Product Name: i-DRIVER - Pocket Edition >From iTunes Store Receipt Date: 3/16/2015 Order total: 12.47 ? Your last login purchase from <my iTunes ID> was = initiated from: Russia (Moscow) If you did not authorize this purchase, please visit the iTunes Payment Cancellation Form iTunes You can find the iTunes Store Terms of Sale and Sales Policies by laun= ching your iTunes application and clicking on Terms of Sale or Sales Policies Apple ID Summary Purchase History This is not a VAT notice. Copyright 2015 iTunes S.r.l. All rights reserved --KXu9U3h0ROPL1GpKUmbqEP53=_NHapPmTs0
Notice the spelling error in the first line, that line was probably placed there by the spam software.
The HTML version is largely the same as the plain text version. The only difference being a
bit.ly link to a supposedly “iTunes Payment Cancellation Form” and a link to https://www.apple.com/uk/legal/. The latter link is probably something Apple would use, however they would use a full
apple.com URL rather than resorting to a
bit.ly shorthand URL for the former link. Or at least they should.
To sum it all up: scrutinise all emails such as the one above before doing anything suggested by said email.