More than six months after reports of wide-scale compromises of accounts at Apple’s popular iTunes online store, there are fresh reports that suggest that the accounts of iTunes users are being used to make fraudulent purchases of music, games and other merchandise. Reports in the Apple forums suggest a pattern of fraudulent purchases of music and iPhone applications stretching back to November. In most cases, with one user reporting $980 in phony iTunes purchases.
Apple did not respond to Threatpost requests for information about the hacks.
The incidents, which have been on the increases since the beginning of February, bear similarities to an earlier rash of hacks that came to light in July, 2010. In that case, attackers used access to compromised iTunes accounts to buy up expensive applications from a number of iPhone application “farms,” many based in China. An account of those attacks, reported by TheNextWeb.com, revealed a connection between application farms run associated with a specific developer, Thuat Nguyen, and fraudulent purchases. Many of the apps released by Nguyen became top ranked sellers in categories such as Book Apps on iTunes Appstore due to the fraudulent buys.
In the latest incidents, which affected iTunes users in the U.S., UK and other countries, there is also a rash of fraudulent purchases that share similarities. Visitors to the Apple Support forums report fraudulent in-game purchases of poker chips for a Texas Hold ’em application credited to the game’s developer, one “Hongbin Sho.” Others report fraudulent application purchases credited to a developer using the handle Lakoo and Gameislive Corporation Limited going back at least to October, 2010.
In all cases, the users report intrusions to their iTunes account that drain the balance of iTunes gift cards or, where accounts have credit cards attached to them, rack up false charges on the card. In other cases, attackers who have compromised the accounts use them as a front to make fraudulent purchases using a third party credit card account, wiping out the user’s address and account information and replacing it with another cardholder’s information and address, then making the bogus purchases using that.
Its unclear exactly what the connection is between the hacked accounts and the application makers, but the latter group is hardly hiding. The Gameislive.com domain resolves to Lakoo.cn which contains contact information and links to the various games promoted by Gameislive. The domain itself is registered to a “Lakoo” with a business address in Kowloon, Hong Kong.
The security of mobile application marketplaces has become a sore point for platform vendors like Apple and Google. Anxious to build large ecosystems of games to draw users to their handheld devices, the vendors have been accused of looking the other way at shady practices and shoddy work by developers. At a recent forum hosted by the consulting firm SRA International, experts concluded that there was no easy fix for mobile security, and singled out mobile app stores as an Achilles heel.
Rob Smith, the Chief Technology Officer of Mobile Active Defense told the audience at the Mobile Security Symposium 2011 that mobile marketplaces encourage users to think that the applications they are downloading have been vetted and are reliable, when the opposite is often true. At stake is, potentially, access to corporate assets and data, he warned.
Forum users also took Apple to task for a lackluster response to incidents of fraud. In most cases, the company appears to have refunded monies that were lost through the fraudulent purchases. In other cases, however, Apple merely suggested the users change their password or contact the developer in question.