Apple iPhone 7 giveaway scam

Wednesday, November 18. 2015

Looks like I'm on a roll. I was home watching a movie and while at it, I got interested about an actor in it and his other work in TV. In normal situation, I'd just flip open one of my laptops, but none were at arm's reach. However, my iPad was. For any movie buff like me, the one an only definite site is Internet Movie Database, or IMDb. Their mobile site is pretty good, but I wanted to give their iOS app a go.

The Incident

I installed the app, and went to iOS Safari to google something, which I don't even remember anymore. Pretty much when I opened the Safari something really weird happened (unfortunately for most of the readers, all of this is in Finnish):

My iPad was selected out of 20 Finnish ones, to get a free iPhone 7 in 2016 when it will be released. WTF!!? For a split second, I - a seasoned software security professional, thought "wow, I'm must be really lucky!" Then the experience kicked in: "This is a scam!" At that point I started taking screenshots of everything I saw on the iPad screen.

Once I got rid of the modal alert-box, there were four bogus questions of "Do you own an Apple product?" and about the future features the iPhone 7 should have and the final one about "Do you have an address in Finland which can be used to deliver your iPhone 7?":

After those, there was a fake "check" for eligibility and a smooth transition to customer testimonials page:

The language was horrible all the way. Finnish is a tricky language for anybody else to master in a believable manner. For example the month name "Elvember" doesn't mean anything in Finnish.

Finally, when I clicked the large blue "yes, gimme my free gift" -button, I ended up in even weirder page asking my personal information:

At this point I lost interest. I have no clue, that's their end game and what they would be using my information for, but I simply didn't want to even enter any fake info there.

Question 4 about address may point to some sort of smuggling scam, so that the unfortunate address would be used to send some sort of contraband which the criminals would liberate from mailbox before nobody notices. I have no proof of that happening.

The Injection

At this point, the relevant question was: What the hell happened?
Where did that page arrive into my Safari? Isn't iOS supposed to be the safest mobile OS there is? Is it really that easy to get past security? What did I do wrong to allow this to happen?

The good thing with this was that I was running in my own Wi-Fi. There I have a basic setup to keep me informed what's going on, so to the logfiles I went:

  • 18.11.2015 18:22:13: App Store was started, lot of requests made to load data and graphics for it
  • 18.11.2015 18:22:18: A search was made to App Store, it was me searching for "imdb"
  • 18.11.2015 18:22:49: 14,801,031 bytes were downloaded from Apple's cloud, that was me downloading the IMDb app
  • 18.11.2015 18:23:05: Lot of traffic into various resources to initialize the loaded app. Partial list of sites:
    • http://ios-app-config.media-imdb.com/6.3.1/ipad.json.gz - iPad configuration in JSON-format from IMDb
    • http://b.scorecardresearch.com/ - Market research company
    • http://aax-eu.amazon-adsystem.com/ - Amazon, Inc. advertisement system, they own IMDb
    • http://ia.media-imdb.com/ - Image server for IMDb
    • https://api.imdbws.com - Unknown IMDb server
    • https://app.imdb.com - Unknown IMDb server
    • https://gsp-ssl.ls.apple.com - Unknown Apple server
    • https://fls-na.amazon.com - Unknown Amazon server
  • 18.11.2015 18:24:43: Safari was launched,
    • http://apple.com-freegiveaway.com/sweeps/custom/fi/lp25_46ulp/ was loaded
  • 18.11.2015 18:29:35: Questions were completed
    • http://bit.ly1bddlxc.com/click - start of redirecting
    • http://trkyad.com/ - middle point
    • http://forbrugerpost.dk/campaign/iphone6s/ - personal information form
  • done

IMDb app pulled in some garbage and triggered the page load into my Safari. Unbelievable!

If you want to study my movements, here is the logfile:
iPhone7scam-10-squid_access-iPad-abbreviated.log
I have omitted the IPv6 address of my iPad, it will be displayed as 2001::87b4, which is obviously not the address.

Motive and opportunity has already been explained, when it comes to means, the Objective-C code to open a page in iOS Safari from an app would be a single line:

[[UIApplication sharedApplication]
  openURL:[NSURL URLWithString:
  [@"apple.com-freegiveaway.com/sweeps/custom/fi/lp25_46ulp/"]]];

In my opinion an outside threat is not feasible, this had to be an inside job.

The Facts

A simple kick into Google search engine revealed for example Possible Iphone 7 Scam at Apple discussions. This has been going on since July 2015, at least, possibly earlier.

The page I was forced to go was http://apple.com-freegiveaway.com/sweeps/custom/fi/lp25_46ulp/

Couple of queries for the DNS and ICANN whois:

# host apple.com-freegiveaway.com
apple.com-freegiveaway.com is an alias for com-freegiveaway.com.
com-freegiveaway.com has address 54.194.31.154
com-freegiveaway.com has address 54.77.203.0

com-freegiveaway.com:
Registrant Contact
Name: Registration Private
Organization: Domains By Proxy, LLC

At the HTML-source of the freegiveaway.com-page, the redirect to the personal information form is at bit.ly1bdDlXc.com, but the actual form is at forbrugerpost.dk, a Danish domain. Querying for those:

# host bit.ly1bdDlXc.com
bit.ly1bdDlXc.com is an alias for h918i.voluumtrk2.com.
h918i.voluumtrk2.com has address 52.28.97.9
h918i.voluumtrk2.com has address 54.93.143.19
# host trkyad.com
trkyad.com has address 198.254.77.23
# host forbrugerpost.dk
forbrugerpost.dk has address 191.235.217.33
forbrugerpost.dk mail is handled by 10 mail.forbrugerpost.dk.
forbrugerpost.dk mail is handled by 100 backup-mx.zitcom.dk.

ly1bdDlXc.com:
Registrant Contact
Name: Registration Private
Organization: Domains By Proxy, LLC

trkyad.com:
Registrant Contact
Name: H Pieters
Organization: Your Product In Mind

Domain name:    forbrugerpost.dk
DNS:    forbrugerpost.dk
Status:    Active    
Created:    2007/11/07
Registrant:    
Userid:    FA7610-DK
Name:    FORBRUGERPOST ApS
Address:    Skibbrogade 3, 2.
Zipcode & City:    9000 Aalborg
Country:    Danmark
Phone:    +4588888484

IP-address owners:

# geoiplookup 54.194.31.154 54.77.203.0 52.28.97.9 54.93.143.19
GeoIP Country Edition: IE, Ireland
GeoIP City Edition, Rev 1: IE, 07, Dublin, Dublin, N/A, 53.333099, -6.248900, 0, 0
GeoIP ASNum Edition: AS16509 Amazon.com, Inc.

# geoiplookup 198.254.77.23
GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, CA, California, Newport Beach, 92663, 33.626701, -117.931198, 803, 949
GeoIP ASNum Edition: AS19994 Rackspace Hosting

# geoiplookup 191.235.217.33
GeoIP Country Edition: IE, Ireland
GeoIP City Edition, Rev 1: IE, N/A, N/A, N/A, N/A, 53.347801, -6.259700, 0, 0
GeoIP ASNum Edition: AS8075 Microsoft Corporation

Conclusions: services are running in Ireland, Amazon and Microsoft data centers and Rackspace, California. Domains are hidden behind proxies so, that the real owners of the domains are hidden. Even the Danish one is proxy-owned. About the Dutch one registered to Rotterdam, I'm not sure, that could be a real one. They use it only for redirect, maybe because they don't want to burn that so soon.

The Outcome

For the record, I'm talking about IMDb app version 6.3.1:

And there was no way, I was letting that piece of garbage pop up any more stupid questionnaires:

... the app needed to go. I didn't trust it for a second.

As I can almost hear you screaming already: "But you didn't prove, that it was the IMDb app! All of this is merely a coincidencee".

Sure, that's true. Even with my debugging skills, looking exactly at an app and tracing it in detail would take a very long time. Which in this case I didn't do. However, my proof is in the fact, that I haven't installed any apps for weeks. My Safari didn't display that stupid questionnaire page earier that day, but after installing and running the IMDb app, it did. I'm sure nobody really knows what the app loads and executes, I have proven, that it consumes a lot of data through network.

Also, I'm not a big believeer of coincidences:

Mycroft: “Oh Sherlock. What do we say about coincidence?
Sherlock: “The universe is rarely so lazy.

... there really aren't any.

by Jari Turkia in Security at 18:22 | Comments (4) | Share in LinkedIn
(Page 1 of 1, totaling 1 entries)

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '15 Forward
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License