Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Keylogger? Or phishing? Or what?

D

DeadlyRainbows

macrumors newbie
Original poster
Aug 14, 2011
2
0
I woke up today to find out that someone had gotten into my iTunes and spent the $50 store credit I had available to purchase some Chinese games. I know they are Chinese (or Korean/Japanese maybe) because the names were in those funky symbols.
My question is how could this have even happened? I'm on a Macbook Pro on OS X Lion and I've never visited a site or clicked a false URL to infect my computer. Yes, I do watch porn like every normal person, but only on *******. And last time I checked that site only gave spyware which was harmless?
Any help given would be appreciated,
Thanks!
 
Wow, kudos to being honest about watching porn. And where you watch it too.


Anyways, are you sure you didn't enter in your iTunes account information on any website? Nobody could have guessed your account information?
 
If I had to guess, your password is something like your pets name, or a common word or name.

Chances are, someone brute-force-hacked your account, and "guessed" your password.
 
Lol it's not like people know me in person, so why hide it when I'm trying to get accurate info?

And this had happened once before on my old Windows PC, but I ran multiple virus scanners including AVG and Norton attempting to resolve the issue, then changed my password. When I got my new MacBook I received the free $100 credit and here comes this same guy who buys Foreign apps at $29.99 each.
Of course when I Report a Problem to Apple, they never even contacted me back about it. Neither now or before.
And no, my passwords all involve a number, uppercase letter, lowercase letter, and are between 10-13 characters long.

The only places I entered my info into were the iTunes store and App Store directly.
 
I thought (not sure) that what usually happens is that people are complacent and they keep re-using their login and password at many websites where they have accounts.

Let's say you have your login as your email account, which is pretty common.

Then, because you're human, you decided a few years ago to use the same password (complicated or not) on a bunch of websites so you wouldn't keep forgetting the password.

So, over time the situation looks like this:

Code: 
Web site     Login              Password
Web A        abc@me.com   123
Web B        abc@me.com   123
Web C        abc@me.com   123
iTunes       abc@me.com   123

So, the hackers are smart - they know that loads and loads of people have iTunes accounts, and they also know people are - for lack of a better word - lazy - when making up logins and passwords.

They also know that Apple's security doesn't need to be breached. Why bother? Just get the logins and passwords on Site A, B or C.

Heck, you can also set up a website yourself to collect login/password info. Or there's an unscrupulous website that's actually sold the login/password info to someone. It could be anything...

So, now that you've hacked a website and gotten the login information, you can just go ahead any try those very same login/password combos on iTunes. Many of them will work.

You can see that there doesn't need to be a keylogger or malicious virus involved. Nor is Apple's security necessarily breached.

Protect yourself from this sort of attack by using a different login for important/trusted websites (banks, iTunes etc). Sites which require a valid email address for the account login aren't necessarily fraudulent, but they certainly aren't helping... And of course USE DIFFERENT PASSWORDS on each website. Changing passwords periodically is helpful as well.

Another protection is to not use Paypal. Apple's quietly instituted a change whereby the security code on the credit card account needs to be entered at various times - the hacker won't have that (most likely) so they're booted out and you get informed of suspicious activity. Paypal has no such code.

Or, you can go the gift card route and limit your exposure that way. There's also no security code on gift cards but if you keep your balance low there's really no risk. If you get hacked, change your password and be on your way.
 
Last edited:
Weak password.

Secure passwords contain at least 8 characters with at least one character from upper case alphabet, lower case alphabet, numbers, and symbols.

For example, *******8)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back