Fraudsters abused Apple Stores' third-party pickup policy to phish for profits

Scam prevalent across Korea and Japan actually had some winners

Black Hat Asia Speaking at the Black Hat Asia conference on Thursday, a Korean researcher revealed how the discovery of a phishing operation led to the exposure of a criminal operation that used stolen credit cards and second-hand stores to make money by abusing Apple Stores’ practice of letting third parties pick up purchases.

The Financial Security Institute of South Korea's Gyuyeon Kim explained that in September 2022 she and another researcher stumbled upon a site that victims of phishing would see when they fell for a fake link.

That site offered a facility to pay for goods – giving the phisherfolk a means of stealing credit card details.

Kim and her collaborator found 50 online stores using the fake payment page, along with 8,000 stolen credit cards and over five million stolen pieces of personal information. But simply stealing credit cards was only one piece of the plan.

"The ultimate objective of this operation was financial gain," explained Kim – the crims cashed in by selling new Apple products at discounted prices at online second-hand stores.

When buyers visiting those second-hand stores agreed to buy the Apple kit, the crims would buy it from an Apple Store using the stolen credit cards.

Here's the important part: Apple Stores allow pickup of online purchases by a designated third party – someone who did not pay for a product, but is authorized by the buyer to take it home after presenting proof of purchase and ID.

The scammers therefore bought iThings with stolen credit cards and named those who shopped on the second-hand stores as the designated third party.

For example, a $1,000 iPhone might be sold for $800 on a second-hand store. The scammers would pay for the device with a stolen credit card number obtained through their phishing trip and pocket the $800 the buyer paid on the second-hand store.

The researchers dubbed the scheme "Poisoned Apple" and said it targeted residents of Korea and Japan between 2021 and 2023. They also revealed that the criminals who ran the campaign had been scheming since 2009 and are still at large.

The researchers believe the baddies are based in China – based on hints such as registering a domains through a Chinese ISP. They also found writing on the dark web in simplified Chinese that was attributed to an email address which was left behind – presumably by mistake – in source code.

The operation was revealed when the researchers discovered a web server that stored scripts the crims used to collect stolen information. While the perps used Cloudflare's content delivery networks to hide their activities under multiple layers of IP addresses, configuration errors exposed their real IP address.

Kim pointed out one notable aspect of the scam was that it circumvented South Korean online payment systems, which she believes are more secure than those elsewhere.

"In other countries, online transactions only require credit card details like card number, expiration date and CVC. Korea requires additional authentication procedures. Authentication here involves various information such as card PIN, additional passwords, mobile and even ID number," explained Kim.

"This will tell you they [the attackers] must have a deep understanding of Korea's online payments," she added.

The Register has contacted Apple to understand if it is taking any action to prevent abuse of the third-party pickup designation policy, and will report back if there is substantial response. ®

More about


Send us news

Other stories you might like