A Hong Kong based developer of games for mobile devices says that its online, multi player games are being besieged by users making fraudulent purchases from compromised iTunes accounts and says that iPhone maker Apple has turned a deaf ear to its efforts cut off the bogus activity.
In an e-mail interview with Threatpost, Ted Kong, a marketing executive at Lakoo wrote that fraudulent transactions account for as many as 4 of every 10 in-application purchases on iOS versions of his company’s multi player games. The bad purchases and user complaints about them, are in danger of damaging Lakoo’s brand, but Kong said his 11 year-old company, which is backed by Sequoia Capital, has been unable to get cooperation from Cupertino-based Apple Computer in addressing the fraud.
Apple did not respond to numerous phone and e-mail requests for comment on the fraudulent purchases.
Lakoo is the publisher of Empire Online, a massively multi player online role playing game (MMORPG) with more than 5 million registered users. A version of the game that runs on Apple’s iOS mobile devices has around 200,000 registered users.
Lakoo’s name and that of its Gameislive brand, turns up frequently in support forums for iTunes users, where irate iTunes users have been complaining about unauthorized charges and in-application purchases (IAPs). Typical are complaints such as the one posted by “daven4567” from Australia on February 23.
“Woke yesterday morning to see an iTunes receipt with almost identical transactions… 2 “free apps” from Lakoo “online v2.3″ followed by two ‘in app purchases’ of $23.99 each.”
Lakoo is by no means the only company that has become a platform for fraudulent purchases. Mobile applications by a wide range of mobile app vendors in China, the EU and U.S. show up on receipts from unauthorized purchases, along with iTunes gift cards in varying amounts. Some users writing in Apple’s support forums report charges of hundreds of dollars in music, mobile apps and gift cards made to their accounts.
The fraudulent purchases have become an issue for Lakoo since they started cropping up in September, 2010, said Kong. Lakoo shared a December 17 e-mail from Ken Lee, Lakoo’s senior development manager, to Apple’s Development Support e-mail address said the company was seeking guidance on halting the fraudulent purchases.
“Many people are complaining on the comments page of (Empire) Online in the UK Apps Store that their Apple ID has been hacked and bought our IAP without even downloading or installing our app,” Lee wrote. “We are facing difficulties since it is hard to trace the violators’ behavior upon purchasing IAP since information that can lead to clues are cut of as soon as they lead to the App Store.”
“As a developer, we are not the right party to help with the refund of the victims as Apple is the ‘agent’ for selling the IAPs (in-application purchases),” Kong wrote Threatpost on March 2. “In most cases Apple would arrange the refund in a couple of days. Occasionally, some victims are reluctant to contact Apple and we have initiated a refund from our side too,” he wrote.
Lakoo first contacted Apple in November regarding the fraud. It issued a statement to customers in December saying that the company had no role in the fraudulent purchases and considers unauthorized in-application purchases illegal and strictly prohibited. At the time, the company said it was “investigating on (sp) this matter, along with Apple.”
That communication has been one sided, Kong told Threatpost.
“We have contacted Apple for the unauthorized IAPs since Nov 2010 but until now we have not received any concrete reply from them,” he wrote.
Kong said Lakoo was also a victim of the unauthorized IAPs. “At our side, we are developing in-game measures to restrict suspicious now and some have been put into our game already.”
It was not clear what those measures are, nor is there any indication that they have stemmed the fraudulent purchases.
The source of the hacked accounts isn’t clear. Kong said that Lakoo’s data on victims suggests that there is no clear pattern – victims have both legitimate and jail broken iPhones, are scattered over the globe and have had both credit card and gift cards used to make fraudulent purchases – though gift cards are more common.
Jeremiah Grossman, CTO of Web security firm WhiteHat, said he doubts that a large scale compromise of Apple’s iTunes database is the source. The online music service counts more than 500 million users and 1 million software downloads a day. If a large scale hack had occurred, Grossman said, victims would be coming out of the woodwork, rather than washing up in support forums.
A possible source could be vulnerabilities on the Apple Web site – iTunes gift cards seem to be a common thread among victims and some have postulated that the gift card generation feature is susceptible to hacking. Alternatively, malicious hackers could be exploiting flaws in the iTunes software or iOS operating system. Apple earlier this week issued a patch for some 60 bugs in iTunes, including some that are remotely exploitable. On Thursday, the company also released an iOS update, Version 4.3, that fixes critical security holes in that platform.
Without guidance from Apple on the source of the hacks, users are left to speculate and scrutinize their accounts for bogus activity.
“The way that i’m treating this is that Apple has a problem so I’m not keeping any financial info in it,” said Terry Coffey, an iTunes user from Anchorage, Alaska, whose account was hacked. “If I need to make a purchase, I’ll add the information at that point.”