The Mac App Store was supposed to be the place to find and purchase apps for a Mac without having to worry whether the seller, developer, or some other third-party had somehow tampered with the app for nefarious purposes. You also weren’t supposed to need to worry about the download sites being full of ads that could contain malware, ransomware, or other worrisome possibilities.
For the most part, the Mac App Store, along with the other Apple app stores, has lived up to this expectation of being a place where malware and deceptive practices don’t exist. For the most part…
Unfortunately, it’s still advisable to make use of the various stores with caution; not so much about the worry of malware being embedded within an app, though it may happen once in a while, but of scammers trying to acquire personal information by using the Apple stores as bait.
Email Scams Using the App Store as Bait
I just got an email phishing scam this week that pretended to be from Apple, warning me about a purchase I made on the Mac App Store that wasn’t made by a device that Apple recognized. I should, according to this email, use the included link and log in to a special section of the Mac App Store, where I would be asked to verify or cancel the purchase.
What a load of hooey. This email had scam written all over it. Besides its use of long run-on sentences and other grammar faux pas, there were a number of other indicators that can be spotted in most of these email phishing expeditions. Apple even has a guide to help you identify legitimate emails from the App Store.
Another phishing scam making the rounds involves receiving a confirmation note about a subscription you purchased in one of the Apple stores. The text of these subscription scams all start by confirming a free trial subscription to a service, and notifying you that once the free trial is over, the monthly cost is an absurdly high amount. One current example is a subscription to YouTube Red, at a monthly cost of $144.99. The purpose of this type of scam is to get you to click on the Cancel Subscription link included in the email. Doing so will take you to a site where you’ll be asked to provide your Apple ID or credit card info, or both. Of course, there never was a subscription to the service, but playing on the fear of being billed will lead some people to click that cancel link.
Identifying Phishing or Scam Emails
Here’s an overview of what you should be watching out for:
Duplicate email messages. It’s not uncommon to receive duplicates emails from scammers. Sometimes the messages are from different senders but the content of the email is the same. If you have multiple email addresses, you may also receive the same message to every email account you own. Both of these are a dead giveaway that the email is suspicious.
A banner in the email stating, “This message is from a trusted sender.” The banner attempts to replicate the type of security found in messaging systems that have a safe sender list, or attempts to look like the security shield Microsoft includes in messages sent from an official Microsoft email address to Microsoft email apps. Since the sender is supposed to be Apple, having a Microsoft security shield in the message is a bit of a clue that something is wrong. In addition, if you’re using Apple Mail, it doesn’t generate a safe sender banner. The only purpose of Mail’s safe sender function is to prevent those messages from being swept up in the junk mail system.
Emails from any of the Apple app stores, including iTunes and the iBooks Store, will never ask you to provide personal information via email. This includes your Apple ID, Social Security number, your mother’s maiden name, or any type of credit card information.
If you ever receive an email asking you to update any type of account information, including payment methods, do not use any link contained within the email to access your account data. It’s all too common for a scammer to create a look-alike website that can be used to fool an individual into divulging personal information. Apple doesn’t provide embedded links in their emails; instead, they will ask you to open your web browser and go directly to the appropriate Apple service (Mac App Store/App Store/iTunes/iBooks).
If you’re being asked to change a password or verify Apple ID information, go directly to the AppleID website at appleid.apple.com. Remember, don’t click that link; instead, manually enter it into your web browser.
Speaking of links within an email, in most mail apps, including Apple Mail, you can see the actual web link, as opposed to the linked text, by hovering your cursor over the linked text. The actual web link should be displayed after a second or two.
Rocket Yard author Steve Sande has an excellent article on what to watch out for in email phishing scams, If you would like to know more, I highly recommend looking at: An Annual Reminder: Watch Out For ‘Phishing’ Scams.
If you happen to receive a suspicious email that you think may be a phishing scam using Apple or any of its products or services as bait, you can forward the message to: firstname.lastname@example.org.
What to Do If You Provided Personal Information
If you provided any information to one of these scammers, you should immediately access the real account site and change your password. When you change the password, be sure to use a strong password that isn’t similar to the one you’re changing.
If you provided any banking information, including credit card data, contact the issuing institution, explain what happened, and have the credit card account frozen and a new card issued with new account numbers. If you provided bank account data, contact the bank and have them freeze the account and transfer the assets to a new account.
Don’t forget to update any subscriptions or services that you have set up with automatic payment.
If you visited a suspicious website, which you likely did if you clicked on any links in the email, you may want to scan your Mac with an anti-malware app, such as Malwarebytes Anti-Malware.
Mac App Store Scams
The Mac App Store, as well as the other store services that Apple runs, is pretty good at preventing malware and questionable code from showing up in the apps it hosts. Developers generally don’t want to be blackballed from the lucrative Apple stores, so they have a vested interest in keeping code on the up-and-up. But that doesn’t always include the way apps are marketed within the store.
One common issue has to deal with SEO (Search Engine Optimization), which is how apps show up in searches within the app stores. When developers submit an app to the store, they also provide descriptions, titles, and keywords, as well as graphics, such as icons and screenshots, that are used by the store’s search service to display apps that meet the criteria a user is looking for. Unlike an app’s code, this metadata information isn’t scrutinized as heavily as the app itself. This allows some less than honorable developers to push their app to the top of the search results, even when the app isn’t a good fit for what is being looked for.
The classic example is to search for Microsoft Excel, a product that isn’t sold via the Mac App Store. Once you enter the search phrase, you’ll see quite a few matches, most of which are offering templates, add-ins, or instructions on use, all of which are legitimate matches to the query. But there are a few whose title or descriptions are deceptive, and could lead you to think you’re actually purchasing Microsoft Excel instead of instructional videos or templates.
You can avoid this possible problem by carefully reading the entire description of the app, as well as reading through the reviews of the app that have been posted by other users.
There are a few steps you can take to help safeguard yourself against online scams:
Unique logins: Use different passwords for all your logins. Should an account become compromised by a scammer discovering your password, only a single account will be affected. Don’t use similar passwords for your accounts. Instead, use a password generator to create random passwords that are difficult to crack, and a password manager to keep track of them for you.
Two-factor authentication: Provided you have a second device that supports an authentication service, turn on two-factor authentication for each account that offers the service. Apple supports two-factor authentication using iOS devices, as well as Macs using OS X El Capitan or later.
Have you seen phishing schemes using the Mac App Store as bait? Or have you encountered any scams or malware within the Mac App Store? Share your experiences in the Comments section, below.