Cybercriminals are using an old trick to encourage Apple iTunes users into downloading malware onto their Windows machines. Their ultimate goal is to steal money from your bank account, judging by the Trojan being pushed in the spam, but to do so a lot of pieces have to fall neatly into place.

This one is quite an elaborate attempt, so let’s break it down. First off, the whole scam campaign starts with a fake Apple iTunes invoice for a $699.99 postcard, according to Sophos:

appleblackhole1 500 Cybercriminals use fake Apple iTunes invoices and IRS warnings to infect Windows users with malware

Right off the bat, you can see that there’s a bug in the code, since the Windows variable “%email%” isn’t revolving to the victim’s email address. Nevertheless, if you somehow fall for this social engineering, you’ll likely end up clicking on one of the included links.

The “View/Download” one ends in download.jpg.exe while the “Cancel” and “Not your order” URLs end in check.php. If you try to navigate to either of them, you’ll be taken to this odd prompt informing you, incorrectly, that the IRS is warning you of using an supported browser.

appleblackhole2 500 Cybercriminals use fake Apple iTunes invoices and IRS warnings to infect Windows users with malware

Spell checking aside, it doesn’t matter if you believe the IRS scam or not: if your computer is vulnerable to the Blackhole Exploit Kit, the most popular Web threat tool for distributing various types of malware via multiple known exploits in popular software (such as Oracle Java, Adobe Flash Player and Adobe Reader above ), it will be infected. If you’re running a solid security solution, and have patched your software with the latest updates, you should be fine.

If Blackhole fails, you can still be infected with malware if you believe the IRS scam. Clicking to get an “up to date” version of any of the above browsers simply downloads a file called “update.exe” which is the Zeus Trojan.

Zeus is a very popular threat designed to log your keystrokes. Sophos warns that if your bank credentials are logged by cybercriminals pushing this attack, your bank account could then be drained.

This is very unlikely, as outlined above. Here is what needs to happen for your money to be stolen: you have to click on the links in question, your computer has to be vulnerable to the attack or you have to download and execute the malware, and then you have to login to your bank account online. Assuming the whole scheme works, and the cybercriminal is looking to steal your credentials, he or she then needs to be able to steal your money without getting caught.

Regardless of how unlikely the end result is, your computer can still get infected with malware rather easily. To protect yourself, install the latest patches for your operating system and software, and don’t click on links in suspicious emails.

Image credit: Ines Teijeiro