Terry Coffey of Anchorage, Alaska, said that he first became aware of a problem with his iTunes account when he received a receipt for a $50 iTunes gift card purchase. Coffey, who says he’s careful with his money, was immediately suspicious and investigated the charge, but couldn’t find any record of it on any of his credit card statements. A closer look at his iTunes account revealed why: unknown assailants had seized control of his account and modified the credit card information associated with it. A different credit card number had been used, listing and Coffey’s address had been changed from Anchorage to a city in Tennessee. The fraudulent credit card account was used to purchase the gift card as well as a single iTunes song, Coffey said.
Coffey, who spoke to Threatpost in March, said his efforts to resolve the issue with Apple haven’t been successful so far. Now, with his account disabled because of the fraud, he has been unable to download songs or application, or access the iTunes store from his Apple laptop or iPhone. He said he expects to get his account reinstated eventually, but is wary of trusting iTunes with sensitive information.
“The way that i’m treating this is that Apple has a problem so I’m not keeping any financial info in it. If I need to make a purchase, I’ll add the information at that point.”
News of Apple Corp.’s high-profile product releases, the health travails of its CEO, Steve Jobs and the company’s hard fought rise to become the most valuable tech firm in the world have dominated news headlines for the past year. But behind the scenes, a growing population of customers are stepping up to say that they’ve been victims of what appears to be widespread fraud aimed at users of Apple’s ubiquitous iTunes platform, and to complain that the the Cupertino, California company renowned for its user friendly products has been close lipped – if not hostile to their complaints.
Reports of fraudulent iTunes purchases have been in the news for more than six months, starting with news of a rash of user complaints drew media attention to compromised accounts in June and July, 2010. An investigation by Web sites like TheNextWeb.com uncovered so-called “app farms”: constellations of dubious mobile applications, often created by a single designer, and purchased from hacked accounts. In certain cases, the volume of those purchases was enough to push the questionable applications onto iTunes list of top applications.
Since then, there have been other signs of smoke. In January, AFP reported that 50,000 iTunes accounts were being auctioned on Taobao, a huge online auction site in China. After dying down, customer complaints about hacked accounts in Apple support forums picked up again in January and February.
The exact number of victims is unclear. Apple hasn’t issued a public statement to explain the source of the account compromises, preferring to make restitution to individual victims. On the company’s customer support forums, posts from victims are numerous. One support threat “iTunes Account Hacked” has 193 posts dating back to November, 2010. Most read like the user with the handle Brad P who described his experience in an e-mail message to Threatpost.
“Gift card on file, someone gains access to your account, the gift card is the common link. They buy a bunch of stuff, usually depleting the balance. Apple responds to your email, saying this refund is an exception and a one time thing. They didnt (sp) answer ANY of my questions, refunded the wrong amount, locked my account with out my knowledge, told me do things like change my password, AFTER i told them ive (sp) changed my password. (That was bizarre.)”
Brad P asked that we not use his real name for fear of retaliation from Apple. He said that he sensed Apple was using automated responses to complaints about account fraud. “Basically its a computer programmed response, I think,” he wrote. “At one point, I thought i was emailing the hacker, because the responses were so strange.”
One problem is that Apple’s forum administrators have been known to delete posts by victims and others attempting to gather information on the extent of the problem, declaring those posts “off topic,” “non-technical” and in violation of the terms of use for its support forums. Out of frustration, some users have turned to other forums. A Facebook group, “iTunes Account Hacked!” now has 43 members.
In the absence of news from Apple, victims have formed their own theories about what is going on. Some contend – in line with Apple’s own support engineers –that the iTunes victims’ accounts were protected by weak passwords which were guessed in a brute force or dictionary attack. Others have theorized that victims have reused passwords with other social media or Web-related accounts that were compromised. But numerous victims say that theory doesn’t hold water: they used strong passwords and didn’t reuse them.
Other victims suggest that the problem lies with rogue application developers as the source of the fraudulent activity. There’s good reason for this: almost all victims report that their compromised accounts were used to purchase applications or make in-application purchases of virtual goods, leveraging attached credit cards, plugging in stolen credit card information for an unknown party and/or draining any available iTunes gift card balances. By this theory, rogue developers have planted malicious code in legitimate-seeming applications that are engineered to phish and then steal user logins.
There’s anecdotal evidence to support that version of events. In March, 2009, Apple patched an iTunes password stealing hole, which the company described as a “design issue” that was linked to attacks that prompted users to re-enter their password when downloading a corrupted audio podcast file. Some forum users who complain of account breaches report incidents in which they were prompted to reenter their iTunes password and even mailing address before downloading the application.
That same month, the company was forced to respond to reports of a hack of the itunes gift card system that was being exploited by credit card thieves who wanted to cash out stolen credit card numbers – a behavior that would explain victim reports of third party credit card numbers being supplanted for their own credit card account information.
What is clear is that fraud via iTunes is a big problem in the burgeoning world of mobile applications and mobile payments.
Threatpost, in conversations with one China-based mobile application developer, Lakoo, reported that up to 40% of the in-app purchases made through iTunes were deemed fraudulent. Lakoo said that it had refunded victims in some cases, but that Apple was ultimately responsible for making the aggrieved users whole again, and that the company had ignored requests for help from Lakoo. In the meantime, iTunes users communicating in the company’s support forums frequently complain that many of the games used to launder fraudulent purchases remain on the iTunes store, despite links to shady activity.
While no single vulnerability has been linked to the fraudulent activity, there’s ample evidence that serious holes in iTunes and its components aren’t hard to come by. In early March, for example, the company issued fixes for almost five dozen security vulnerabilities with the iTunes 10.2 software update. They include buffer- and heap overflow issues that could allow an attacker to use specially crafted image files to run arbitrary code on a Windows system that uses iTunes, permitting arbitrary code to run on the system. Even more concerning: most of the fixed vulnerabilities were reported to Apple by researchers at Google, rather than by Apple’s internal staff.
As has been the case all along, Apple declined to respond in any way to requests for comment or explanation from Threatpost. The company has declined to respond in any fashion to Threatpost’s articles on the account compromises or offer any further information on the source or solution for the hacks.
That leaves loyal Apple users like Brad P frustrated and doubtful of the integrity of the iTunes platform – and Apple itself.
“They should be a good company and do whats (sp) right, like figure out whats going on,” he wrote in an e-mail to Threatpost. “I assume they’r (sp) concerned with either letting the cat out of the bag and panic, (translated: bad press) or they dont (sp) really give a rats (expletive), cause its just part of doing biz.”