Creative online crooks have been targeting -- and successfully ripping off -- Apple gift card holders for more than a month, according to security software vendor Symantec.
The phishing scam requires a little bit of luck for the bad guys and lot of naivety on the part of the card holder. The con artists set up a phishing site using a typosquatted URL -- a URL that's a deliberate misspelling of Apple or some derivation of Apple's online store -- and then lies in wait for those folks who hastily typed in the erroneous address.
Once the page is loaded, the bogus site appears to be a legitimate Apple site, complete with the correct customer support phone number and the same look and feel of Apple's consumer Web sites.
With the hook baited, the crooks try to reel in consumers by providing what looks like a safe and simple way for card holders to check the balance on their Apple gift cards. It includes a field for the 16-digit card number and the eight-digit PIN number.
For those unfortunate enough to fall for the ruse, the site returns an error message after the card and PIN number are entered. It also advises users to contact customer support for help.
Meanwhile, whatever balance was on the gift card is likely long gone before the customer even has a chance to dial the customer service number.
"The customer care number provided was valid in order to help the fraudulent site look authentic," Symantec officials wrote in a blog posting. "With stolen gift card numbers, fraudsters can shop with the entire balance available on each card."
Apple (NASDAQ: AAPL) officials were not immediately available for comment.
This isn't the first phishing scam to use gift cards and a popular retail brand to fleece unsuspecting Internet users.
Last month, a Facebook-based phishing scam took advantage of an unknown number of health food fans by promising a $500 gift card to upscale grocer, Whole Foods, through the social networking site's fan pages.
Instead of receiving five c-notes for organic fruits and vegetables, victims had their PCs and mobile devices infected by malware that attempted to steal their personal information and turn their computers into spam-distributing botnets.
The FBI said Internet users should expect more of these brand-based phishing scams for the foreseeable future. The agency's latest cybercrime report found that new identity theft and phishing complaints surged more than 22 percent last year to more than 336,000 new cases and it expects those figures to continue to rise sharply throughout 2010.
Symantec (NASDAQ: SYMC) security officials advised users to always avoid clicking on links or attachments contained in any unsolicited e-mails, regardless of whether or not the sender appears to be familiar or legitimate.
Also, users should always double-check the name of the Web site in their browser before entering any personal information, just in case they have accidentally misspelled the address or have been redirected to a malicious site.