Skip links

Korean researcher details scheme abusing Apple’s third-party pickup policy

Speaking at Black Hat Asia on Thursday, a Korean researcher revealed how the discovery of one phishing website led to uncovering an operation whose activities leveraged second-hand shops and included using Apple’s “someone-else pickup” method to cash in.

Working with another researcher, the Financial Security Institute of South Korea’s Gyuyeon Kim stumbled upon a phishing payment widget in an online store in September 2022. The duo contacted the site to remove it, but found it again in another online store. Analyzing the commonalities between the website led them to find the server side was redirecting users to the phishing page upon checkout.

They eventually uncovered more than 50 online stores with that same phishing page. Further analysis led them to find upwards of 8,000 stolen credit cards and 5 million stolen pieces of personal information.

“The ultimate objective of this operation was financial gain,” explained Kim, adding that these attackers didn’t just rely on selling card information, they also engaged in luring unwitting participants in their scam from second-hand shop scams.

In one of their second-hand shop schemes, the miscreants offered Apple products at a discounted price. Once the purchase was agreed upon, the scammer would make a purchase with a stolen credit card and designate the buyer as the designated third party allowed to pick up the item.

As this scheme involved luring people on second-hand trading platforms using Apple products, similar to the story of Snow White and the Seven Dwarves, the operation earned the name “Poisoned Apple.”

While Poisoned Apple targeted residents of Korea and Japan between 2021 and 2023, the criminals behind the campaign are believed to have been scheming since 2009 and are still at large.

The researchers believe the baddies are based in China, as they’ve left breadcrumbs along the way, such as registering a domain through a Chinese ISP.

The researchers also found writing on the dark web in simplified Chinese that was attributed to an email address which was left behind, presumably by mistake, in the source code.

The entire operation was unravelled in part when the researchers discovered a web server, which was utilized for storing scripts and to collect stolen information. They used the Cloudflare CDN service to hide layers of IP address, but they made a mistake by installing overshare on their own server, which exposed the real IP address.

Kim pointed out one notable aspect of the scam is weaponizing Korean online payment systems, which she believes is more secure compared to other countries.

“In other countries, online transactions only require credit card details like card number, expiration date and CVC. Korea requires additional authentication procedures. Authentication here involves various information such as card pin, additional passwords, mobile and even ID number,” stated Kim.

“This will tell you they must have a deep understanding of Korea’s online payments,” she added.

The Register has contacted Apple to understand if it is taking any action to prevent abuse of the third-party pickup designation policy and will report back if there is substantial response. ®