More iTunes Accounts Compromised by App Store Developer?

[MacRumors]

Arstechnica reports on at least one other iTunes user who also claims to have been the victim of fraudulent App Store charges, possibly by a developer.

Ars reader Harper Reed contacted us to detail the problem. His account was used earlier today to purchase 34 of WiiSHii Network's apps without his permission, for a total of $168.89. The apps appear to mostly be travel guides for cities in China, and come in both English and Chinese versions—oddly enough, Reed ostensibly bought both.

Coincident with this activity which occurred today, WiiSHii's apps are also rising in the travel section suggesting that Reed's account may not have been the only one compromised.

The news comes soon after another report of similar fraudulent activity for another developer. In that case, Apple shut down that developer's account, reported that only 400 accounts were affected and denied that there was any compromise of Apple's iTunes servers themselves. Analysts had speculated that phishing had been the source of the account information:

"Standard phishing attacks," said Sullivan when asked to speculate on the most likely way Nguyen obtained access to the iTunes accounts. "That's much more likely than someone hacking the accounts or Apple's database," he added.

According to F-Secure's data, approximately 20% of online users use the same password across multiple accounts, so if that one password is stolen, it opens up access to all of those user's accounts. In this instance, Reed's password was apparently not an easily guessable word, but there was no indication if he used his password elsewhere on the internet.

According to one forum report, stolen iTunes account information is readily available for sale through certain Chinese web sites. If true, this means that the individuals actually stealing the accounts and those using them might not be the same. Based on the single data point, it's also impossible to say for sure the developer was behind the attacks, though they had the most to benefit. That said, it seems unlikely they will benefit from their efforts as Apple will almost certainly shut down their account if they are responsible.

Article Link: More iTunes Accounts Compromised by App Store Developer?

 

[DMann]

Seems counter productive, from a developer's POV.

 

[arn]

Seems counter productive, from a developer's POV.

ya, stupid really. also could open up the possibilty of competitors doing this to other developers to try to take them out.

arn

 

[ValSalva]

Just basic computing here. You need to be able to identify phishing sites/emails and use unique and strong passwords.

 

[miles01110]

You need to be able to identify phishing sites/emails and use unique and strong passwords.

If you get phished, having a unique and strong password doesn't really help you...

 

[Brien]

ya, stupid really. also could open up the possibilty of competitors doing this to other developers to try to take them out.

arn

Totally agree. No different than Facebook "hacking" either.

 

[Peace]

I change my password weekly just because of this type of stuff.

 

[Saladinos]

Apple needs to get on top of this ASAP. My mum just bought an iPhone, and she's still pretty novice at it. She's a prime target for this kind of attack.

She's not unique in that, either. If this isn't fixed, Apple's reputation is going to drown. Most iPhone users love their device, but not when you can't trust Apple's supposedly secure AppStore.

 

[charlituna]

Seems counter productive, from a developer's POV.

That and that it was done two out of two weeks makes me wonder if it's not the developer but someone that is trying to get them booted off. possibly both times or this time someone is copycatting knowing that Apple would boot off the developer etc.

And how many of those 400-500 folks actually changed their passwords. I bet not all of them. Add in a few new hits on phishing and such and it would be easy to pull a repeat

Apple needs to get on top of this ASAP.

these aren't brute force attacks on their servers and all the instruction in the world won't stop folks from using 'music' as a password or posting the name of that dog on the facebook account that is linked to the same email

My mum just bought an iPhone, and she's still pretty novice at it. She's a prime target for this kind of attack.

What kind of son doesn't teach her. Or just have her use itunes gift cards and not a credit card so that at the most, someone would get $10-15

My grandfather just started using a computer and the first thing I taught him was that the Internet is like the Wild West, it looks civilized most of the time but at any moment someone could shoot you in the back (he loves westerns so he got the reference) so caution is always in order.

 

[lomafor]

Apple needs to get on top of this ASAP. My mum just bought an iPhone, and she's still pretty novice at it. She's a prime target for this kind of attack.

She's not unique in that, either. If this isn't fixed, Apple's reputation is going to drown. Most iPhone users love their device, but not when you can't trust Apple's supposedly secure AppStore.

Hello? I don't think you understand what is going on.

There is nothing wrong with AppStore's security in those cases. It is just like your credit card number being stolen and use to make purchase at a store, it is not the store's problem and you should just contact credit card company to investigate.

You shouldn't have lost your info to someone in the first place.

 

[macfan881]

do you still need to have a C Card to make a itunes account? if not id say just use gift cards..

 

[Mr. Gates]

do you still need to have a C Card to make a itunes account? if not id say just use gift cards..

That is sad if the the only way you can be secure with Apple is to do this irritating 3 step process involving gift cards

 

[kainjow]

It's not that hard to prevent this from happening. Just go to http://www.protect_my_itunes.com, log-in with your iTunes account and follow the instructions!

 

[Orion27]

I have received several invoices with my email address on the invoice but nothing else relating to me. In French!

 

[ShiftyPig]

If you get phished, having a unique and strong password doesn't really help you...

Exactly.

I'm struggling to see how this is "news" as it isn't in any way surprising that a service counting tens of millions of users is the target of phishing efforts. I'd be shocked if nobody in the world was trying to phish iTunes account info.

 

[errin]

This is mine. Though I'm the one who paid for them but why did I've been charged twice?

 

[Wurm5150]

Educate your mum...

Apple needs to get on top of this ASAP. My mum just bought an iPhone, and she's still pretty novice at it. She's a prime target for this kind of attack.

She's not unique in that, either. If this isn't fixed, Apple's reputation is going to drown. Most iPhone users love their device, but not when you can't trust Apple's supposedly secure AppStore.

You should educate your mum on phishing, being careful on going to suspect sites and emails...

 

[cwaddell2002]

Got Hacked

FWIW, my account got hacked about 6 months ago, and I didn't get phished - also my account password was moderately robust... a word followed by a number combination...

After a good fight with my cc company, I got the $250 in charges reversed, and now have a combination of random letters, symbols, and numbers as my password. I will say that while the problem may not be widespread, there is some brute force attacking going on, or apples servers are getting hacked. Now that said, it would seem there are a couple of things they could do to beef up said security, such as allowing a user to identify a country of origin for their account, or even a series of MAC addresses from which to restrict access... that would probably be a lot of work, and too complex for most users to figure out though, and the problem may not be widespread enough to justify it...

Regardless, I was made whole by my cc company so no big deal - just a hassle...

 

[jstoltz]

Apple could make this more difficult for hackers by making it easier for users to make purchases without storing their credit card information.

 

[hobo.hopkins]

I will say that while the problem may not be widespread, there is some brute force attacking going on, or apples servers are getting hacked.

I highly doubt that Apple's servers are being hacked; if Apple's servers had been hacked the issue would be far more widespread and have considerably further-reaching implications.

Apple could make this more difficult for hackers by making it easier for users to make purchases without storing their credit card information.

I don't think they would stop storing credit card information. More people would complain about the hassles of having to re-enter information than would appreciate the added security. Myself included.

 

[alphaod]

Damn now I'm even checking my own account.

Looks good so far *knock on wood*

This is mine. Though I'm the one who paid for them but why did I've been charged twice?

Pretty sure you can get one of those refunded.

 

[iPoodOverZune]

jailbroken phones/touches

Actually, one of the things that I wanna point out here to all, since we are talking about hacked iTunes account, is the usage of jailbroken/unlocked iPhones/iTouches. The j/l broken phones/touches, if not secured by changing the default passwords (alpine), are the easiest targets to exploit by openSSH, to access your iTunes password.

I suspect many of these hacked accounts available for sale are/may be obtained via this process.

 

[nagromme]

Talking about is as your account being “compromised BY developer” is misleading.

It’s probably more like “developer pays for promotion by some shady company who has used phishing scams, Windows spyware and the like to trick people into revealing all kinds of passwords, including iTunes passwords."

 

[skeebers]

Yep..you hit the nail on the head.. Jail broken phones downloading apps with who knows what imbedded in it....

 

[mlmathews]

My grandfather just started using a computer and the first thing I taught him was that the Internet is like the Wild West, it looks civilized most of the time but at any moment someone could shoot you in the back (he loves westerns so he got the reference) so caution is always in order.

Most likely, your teaching did little good. I've been trying to teach various family members how to protect themselves for many years, but find that it's almost impossible to succeed because most non-technical people lack the instincts to make the judgments on what is and is not safe. Just last week I reminded my mom to be careful about opening email attachments and not 5 minutes later she was wanting to show me some video attachment that had just been forwarded to her.