Canadian Apple may be handing over customer data to fraudsters

Canadian Apple may be handing over customer data to fraudsters

Or there was a leak at UPS, Apple's shipping partner.

In Canada, air travel is very expensive compared to the U.S. and Europe. To save money, Canadians have to use low costers: Flair Airlines, Swoop Airlines, Lynx Air, etc. They are usually cheaper than the monopoly Air Canada, but travelers complain about delayed flights and lost luggage.

A friend of mine from Toronto recently flew her family to Vancouver to go skiing. Alas, her luggage was lost, and airline support made no effort to find it. Still, the story ended safely because she had put an Airtag, a tiny Apple device that can transmit location for a year without a battery change, in her shoe. My acquaintance tracked her ski flight and simply came to the airport to the baggage claim counter to claim her loss. And the budget airline never responded...

Buying from the Apple website

I also decided to prepare for domestic air travel and ordered 4 Airtags directly from the Apple website. The reservation system promised free shipping on March 21 via UPS.

On March 13 at 6:03 a.m. I received a text message on my phone about the shipment of my order:

Apple's Confirmation of Shipment

Free shipping became paid

That same day at 11:24 p.m. I received another message from an unknown number about having to pay extra for delivery:

Fake letter from UPS

At first glance, it was from UPS because Apple said it would ship my order by that company. It stated:

  • my full name;
  • delivery index;
  • the phone number was also correct, otherwise, I wouldn't receive this message.

There were a few confusing things:

  1. Apple promised free shipping, and here we are talking about $2.89.
  2. The website address looks like UPS, but if you look closely, the site is strange — com-delivery-payment.info, looks like scammers!
  3. The message is written in English with mistakes.

I clicked on the link from my phone since it's safer than from my computer, and the following page showed up:

UPS invoice page

Useless support from Apple

I was beginning to suspect it was a phishing site, disguised as an official UPS site, and the next page would ask me to pay by card. And then the money would disappear, and I would have to spend a lot of time dealing with the bank. But still, I decided to contact Apple support and ask why there was a delivery fee. I was kindly offered to contact UPS support, which I did not do — I already had the experience of waiting on the phone...

A dangerous experiment

I decided to go ahead and click "Continue". I was wrong: they didn't immediately ask for my card number, but first asked for my home address, phone number, email, and date of birth (for delivery!). In short, pretty much all personal information.

Of course, no additional links that were shown to masquerade as a UPS site worked.

I entered fake information every step of the way, including my card number, but the site let me through and said the invoice was paid:

Invoice paid successfully

It's funny, but the next day I got another text message from a different phone number. It contained a different UPS website, but the "victim" code was the same:

Another message from UPS

As of this writing, the site is no longer open. But the link from the first hacker post works.

A second chance for Apple

I contacted Apple support again, and this time they didn't immediately send me to call UPS, but I still didn't get any help:

Apple Support

Apple has been hacked!

I firmly believe that Apple or UPS has and probably is leaking data. Let me explain why:

  • The payment was made from another person's card with a different payment address, that is, it is not a leak from the bank.
  • The hacker knew there was a purchase from Apple, and the date of the attack coincided with the date the item was shipped.
  • The scammer knew that shipping was supposed to be done by UPS and made a phishing site for UPS.

Conclusions

Alas, hacker attacks are becoming increasingly sophisticated, and fraud is hard to detect. Even tech giants are vulnerable, and personal data is becoming public.

Alex Pavlenko, founder of Immigrant.Today

  • #Apple
  • #UPS
  • #data breach
  • #fraud
  • +