In 2022, two cybersecurity researchers uncovered a scheme that exploited Apple’s third-party store pickup service to gain financially through second-hand stores and the theft of banking data from other victims on fraudulent websites. The scam involved fraudulent pages that mimicked legitimate ones to steal personal and banking information from over 50 digital stores.
To cover their tracks, the cybercriminals used evasion tactics and vulnerabilities until the scheme was detected by researchers from the South Korea Financial Security Institute. Instead of selling the stolen data on the dark web, the cybercriminals opted for a more innovative approach. They posted discounted offers for new products on second-hand websites and engaged in chat conversations with interested buyers to arrange for in-person pickups. Using the stolen card data, they made purchases from the online Apple Store with the real prices, opting for pickup by another person. The buyer would then send the agreed-upon amount to the cybercriminals’ account, allowing them to profit from the purchases made with stolen card information.
The scheme was cleverly designed to deceive consumers and facilitate fraudulent payments in a unique way. By leveraging the ‘collection by someone else’ feature of the online Apple Store, the cybercriminals were able to operate under
:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/SHZS63UVUVBIHKYXCRRMDXZQHI.jpg)
