There’s a new, widespread phishing campaign underway that you need to be aware of if you use the Apple App store at all.  At this time, no one knows who’s behind the campaign, but already, a surprising number of people have been taken in by it.

The campaign works like this:

You’ll receive an email that appears to be from Apple confirming your recent purchase of a $30 app.  The email contains a PDF that the sender claims is your receipt.  This is a lie, and once you click on the PDF to see what you supposedly spent money on, they have you.

Clicking on the PDF reveals what appears to be a receipt from Apple.  At the bottom of the PDF, there’s a helpful link with a note that informs users that if they did not authorize this transaction, they can click the link to get a full refund. Clicking on the link brings the user to an exact replica of the Apple Account management portal.

If the user enters their login credentials, they’ll get a message that their account has been locked for security reasons, and informed that they must unlock their account before signing in.  In the user’s mind, this underscores the notion that their account has been compromised, which will prompt them to try and remedy the situation by unlocking their account and changing their password. Unfortunately, this is exactly what the scammers are hoping for.

When a user clicks the “Unlock Account” button they’ll be asked to verify their account information, including their full name, their address, telephone number, social security number, date of birth, payment information, driver’s license and/or passport number, and security questions.

Once they give all this to the scammers, the user will be redirected to the actual Apple account management page. The brilliant (and disturbing) part of this elaborate scheme is that they do so in a way that causes the Apple page to load with a message stating “this session has timed out for your security,” which reinforces the story the user has been given to this point.

You log on normally and see no sign of the previously mentioned charge, so you assume all is well, and it is – except for the fact that you’ve inadvertently handed the scammers everything they need to steal your identity.

If you use the Apple App store even occasionally, be on the lookout for emails like this.  It could cost you more than you realize.