Thank you for buying iTunes Gift Certificate! – Virus

Another day, another minor twist on the virus attachment emails. This week it’s back to the bogus  “iTunes” certificate confirmations:

Subject:      Thank you for buying iTunes Gift Certificate!

Emails come from spoofed sending addresses, such as From:

  • “Your iTunes Store” <support@itunes.com>
  • “iTunes Online Store” <internet.shop@itunes.com>
  • “iTunes Store” <customer.service@itunes.com>
  • “iTunes Online Products” <customer.service@itunes.com>
  • “Your iTunes” <gifts.support@itunes.com>
  • “iTunes Products” <customer.service@itunes.com>

When in reality all of these (and many others, see the end of this post) come from already infected personal computers from across the globe.

The email message itself is pretty simple:

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

Attached are two files:

  • iTunes_certificate_247.zip
  • iTunes_certificate_247.exe

Naturally, the attachments will deliver virus payloads if run by the curious recipient. Also be aware the number in the attachment name can change in an effort to avoid spam filtering systems.

A few other spoofed sending addresses for this virus campaign:

  • “iTunes Online Products” <account@itunes.com>
  • “iTunes Online Products” <online.software@itunes.com>
  • “iTunes Online Products” <shop.order@itunes.com>
  • “iTunes Online Products” <store.order@itunes.com>
  • “iTunes Online Products” <technical.support@itunes.com>
  • “iTunes Online Products” <support@itunes.com>
  • “iTunes Online Store” <account@itunes.com>
  • “iTunes Online Store” <certificate.support@itunes.com>
  • “iTunes Online Store” <certificate@itunes.com>
  • “iTunes Online Store” <consultants@itunes.com>
  • “iTunes Online Store” <gifts.certificate@itunes.com>
  • “iTunes Online Store” <gifts@itunes.com>
  • “iTunes Online Store” <internet.shop@itunes.com>
  • “iTunes Online Store” <online.software@itunes.com>
  • “iTunes Online Store” <online.store@itunes.com>
  • “iTunes Online Store” <online.support@itunes.com>
  • “iTunes Online Store” <products.support@itunes.com>
  • “iTunes Online Store” <products.support@itunes.com>
  • “iTunes Online Store” <products@itunes.com>
  • “iTunes Online Store” <shop.order@itunes.com>
  • “iTunes Online Store” <technical.support@itunes.com>
  • “iTunes Products” <online.services@itunes.com>
  • “iTunes Products” <shop@itunes.com>
  • “iTunes Products” <technical.support@itunes.com>
  • “iTunes Store” <gifts.support@itunes.com>

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: ,

30 Responses to “Thank you for buying iTunes Gift Certificate! – Virus”

  1. Rezz says:

    I just got that message, lol could someone report them thanks

  2. Steve D - Brisbane says:

    Just got one too – lucky my wife didn’t get there first!!

    it read…

    —– Original Message —–
    From: iTunes Online Products
    To: xxxxxxxxxxxxxx
    Sent: Wednesday, May 26, 2010 6:40 PM
    Subject: Thank you for buying iTunes Gift Certificate!

    Hello!

    You have received an iTunes Gift Certificate in the amount of $50.00
    You can find your certificate code in attachment below.

    Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

    iTunes Store.

  3. seth says:

    thank you so much. knew it sounded fishy. wasn’t too pumped anyway, since i don’t really use itunes. again, thanks! :)

  4. Mazdarelda says:

    consultants@itunes.com – just got one from here too- thanks for puitting this list up!!

    was nearly duped!

  5. wiesli says:

    Hello,

    just have thus one mail preserved. Here thank you a little bit recherche I have landed. Your tips and information have me probably before damage preserved.

    For it I say THANKS.

  6. Tim says:

    Just had this one today from gifts.certificate@itunes.com . Thank you so much for posting this information. I was suspicious, but was not sure until today. I was looking at itunes yesterday, so it was a strange coincidence.

  7. Shirley says:

    I received that email this morning and thought it looked suspicious b/c of the attachment so I didn’t open the attachment. If someone wanted to give me a gift certificate, the code would be in the email and not an attachment.

  8. trista tyler says:

    Mine is from your.support@itunes.com – thanks for the easy to find info!

  9. John says:

    just recieved that bull in the morning….

    your.support@itunes.com

    within it was adressed @ stehpie_koller@web.de

    greetings from germany :)

  10. Sarah says:

    got one from products.support@hotmail.com.uk

    thank god i got suspicious enough and found this blog.

    awesome.

  11. Lisa says:

    I got one from products@itunes.com. I don’t use itunes, but my son visited a site (on my puter) yesterday that does. I agree w/ Tim…strange coincidence. Reported it.

  12. Adrian says:

    I just got one and I opened it! Nothing happened, an error popped up. But maybe something did happen and I don’t know?

    What do I do?
    And how do I report it?

  13. masterpiece says:

    …use mac snow leopard and unfortunately opened the .exe-file. can anybody tell me if a mac could be infected? or just a pc?

  14. For this campaign we’re under the impression that it only affects Windows machines.

  15. The “error” you reference could be an actual error… ie the file was corrupt.

    However, it could also (and perhaps more likely) have been a false message designed to conceal the action of the program. In other words, making you think there was an error and nothing happened, when in fact the code infected your system as designed.

    The only real recourse is to either attempt a fresh install of a good AV program (many Trojans and Viruses disable existing AV scanners) or hire a professional.

  16. mochambers says:

    opened the .zip on snow leaopard – .exe contained – only a windows virus

  17. Henning Uhle says:

    Hi,

    I posted a German blog entry to discuss with users in the German speaking area:

    http://www.henning-uhle.eu/informatik/vorsicht-vor-itunes-geschenken

    Best wishes,
    Henning Uhle

  18. Stefan says:

    which virus is in iTunes_certificate_247.zip?????

  19. Depending on who’s classification you use, it’s in the Win32.Rbot, W32.Spybot, W32/Sdbot, WORM_RBOT family of Trojan/Worm.

  20. Andi says:

    I just got this one this morning at my office email. It came from certificate@itunes.com. Thanks for the post It saved me and the company lots of headaches

  21. Melissa says:

    omg i got that too i got excitedd :P

  22. cool2aqua says:

    got one from shop.order@itunes.com today . got suspicios bcoz didn’t have email abhiforever@ymail.com and it was sent to that. thanx

  23. annamei says:

    got it today too:

    From: iTunes Store [mailto:gifts.support@itunes.com]
    Sent: Thursday, May 27, 2010 6:59 PM
    To: Anna xxxxx
    Subject: Thank you for buying iTunes Gift Certificate!

    Hello!

    You have received an iTunes Gift Certificate in the amount of $50.00
    You can find your certificate code in attachment below.

    Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

    iTunes Store.

  24. mayA says:

    received 2 this morning. Isn’t there a way they can be stopped? Don’t they have anything better to do than pass out virus’? I also get ones pretending to be ups or dhl with the attachment. So beware of those also.

  25. Arch Ecker says:

    I, too, got one today. I scanned it with Trend Micro and it came up clean. I still didn’t open it. What really clued me in was even though I just downloaded iTunes yesterday, this e-mail came to a different e-mail address.

    Look at all of our comments… all within the last two days. Amazing.

    Happy Memorial Day, everyone!

  26. Stephanie says:

    My mother got the same email yesterday and forwarded it to me, saying that she wasn’t sure if it was kosher or not. Thankfully I found this blog and I’ve just told her to delete the email.

  27. Ryan says:

    Thank you! I almost opened this email. :P You’re my savior!

  28. joe says:

    Since it was my birthday a couple of days ago, I thought there might be a possibility it was real. but I could not think of anyone who would give me a 50 dollar gift certificate so I checked on google first and found this site.

    thanks for the info, I will not open it.

  29. Hutchinson says:

    I use Linux & scanned the .exe with ClamTk & it said possible Trojan etc .
    So it defineltly pays to have some kind of virus tool even if its a Portable like Clam.
    As I was tempted to open it .

  30. Devin says:

    Mine Said: Hello! You have received an iTunes Gift Certificate in the amount of $100.00 You can find your certificate code in link below. http://66.71.251.165/itune.rar Then you need to open iTunes. Once you verify your account, $100.00 will be credited to your account, so you can start buying music, games, video right away. Itunes Store.

    I was confused because I have no idea why I would be getting a gift certificate without someone telling me and the URL looked weird so I googled it and found this blog. THANKS!!!!!!!