Fraudsters abused Apple Stores' third-party pickup policy to phish for profits

Black Hat Asia Speaking at the Black Hat Asia conference on Thursday, a Korean researcher revealed how the discovery of a phishing operation led to the exposure of a criminal operation that used stolen credit cards and second-hand stores to make money by abusing Apple Stores’ practice of letting third parties pick up purchases.

The Financial Security Institute of South Korea’s Gyuyeon Kim explained that in September 2022 she and another researcher stumbled upon a site that victims of phishing would see when they fell for a fake link.

That site offered a facility to pay for goods – giving the phisherfolk a means of stealing credit card details.

Here’s the important part: Apple Stores allow pickup of online purchases by a designated third party – someone who did not pay for a product, but is authorized by the buyer to take it home after presenting proof of purchase and ID.

The scammers therefore bought iThings with stolen credit cards and named those who shopped on the second-hand stores as the designated third party.

For example, a $1,000 iPhone might be sold for $800 on a second-hand store. The scammers would pay for the device with a stolen credit card number obtained through their phishing trip and pocket the $800 the buyer paid on the second-hand store.

The researchers dubbed the scheme “Poisoned Apple” and said it targeted residents of Korea and Japan between 2021 and 2023. They also revealed that the criminals who ran the campaign had been scheming since 2009 and are still at large.

The researchers believe the baddies are based in China – based on hints such as registering a domains through a Chinese ISP. They also found writing on the dark web in simplified Chinese that was attributed to an email address which was left behind – presumably by mistake – in source code.

The operation was revealed when the researchers discovered a web server that stored scripts the crims used to collect stolen information. While the perps used Cloudflare’s content delivery networks to hide their activities under multiple layers of IP addresses, configuration errors exposed their real IP address.