Skip links

Fraudsters abused Apple Stores’ third-party pickup policy to phish for profits

Black Hat Asia Speaking at the Black Hat Asia conference on Thursday, a Korean researcher revealed how the discovery of a phishing operation led to the exposure of a criminal operation that used stolen credit cards and second-hand stores to make money by abusing Apple Stores’ offer to let third parties pick up products.

The Financial Security Institute of South Korea’s Gyuyeon Kim explained that in September 2022 she and another researcher stumbled upon a site that victims of phishing see when they fall for a fake link.

That site offered a facility to pay for goods, giving the phisherfolk a means of stealing credit card details.

Kim and her collaborator found 50 online stores using the fake payment page, plus 8,000 stolen credit cards and over five million stolen pieces of personal information.

“The ultimate objective of this operation was financial gain,” said Kim, going on to explain the how the crims cashed in by new Apple products at discounted prices at online second-hand stores.

When buyers visiting those second-hand stores agreed to buy the Apple kit, the crims would buy it from an Apple store using the stolen credit cards they obtained by phishing.

Here’s the important part: Apple Stores allow pickup of online purchases by a designated third party who did not pay for a product but is authorized by the buyer to take it home after presenting proof of purchase and ID.

The scammers therefore named those who shopped on the second-hand stores as the designated third party.

In the case of a hypothetical $1,000 iPhone sold for $800 on a second-hand store, the scammers would pay for the device with a stolen credit card number obtained through their phishing trip and pocket the $800 paid on the second-hand store.

The researchers named the scheme “Poisoned Apple” and said it targeted residents of Korea and Japan between 2021 and 2023, but that the criminals who ran the campaign have been scheming since 2009 and are still at large.

The researchers believe the baddies are based in China based on hints such as registering a domains through a Chinese ISP.

The researchers also found writing on the dark web in simplified Chinese that was attributed to an email address which was left behind, presumably by mistake, in source code.

The operation was revealed when the researchers discovered a web server that stored scripts that collect stolen information. While the crims used Cloudflare’s content delivery networks to hide their activities under multiple layers of IP addresses, configuration errors exposed their real IP address.

Kim pointed out one notable aspect of the scam was that it circumvented South Korean online payment systems, which she believes are more secure than those elsewhere.

“In other countries, online transactions only require credit card details like card number, expiration date and CVC. Korea requires additional authentication procedures. Authentication here involves various information such as card pin, additional passwords, mobile and even ID number,” stated Kim.

“This will tell you they [the attackers] must have a deep understanding of Korea’s online payments,” she added.

The Register has contacted Apple to understand if it is taking any action to prevent abuse of the third-party pickup designation policy and will report back if there is substantial response. ®