Meet three people ripped off by iTunes fraud ring
Reports from victims of fraud on iTunes are beginning to paint a picture of what could be a significant security issue for Apple's online entertainment store. Worse yet, several of the victims that reported into Betanews on their experience are employed in IT -- obviously understanding the risks of improperly secured personal data.
Although not uniform, Betanews investigations into the issue seem to suggest that attackers have primarily targeted users that had credit balances with iTunes. Monitoring of Sega's Kingdom Conquest app page show new comments posted today of fraudulent charges, indicating the hack is ongoing. But that's not the worst of it: other apps may be victims of these hackers.
Reader Aaron Howell reported that he was one such victim, finding that someone had downloaded Storm8's World War, and then proceeded to download in-app credits on April 29. Howell had no credit card or PayPal on file, so the hacker was able to drain his gift card balance.
Like myself, Howell took the necessary steps to secure his iTunes account by changing to a password he says "does not exist in a dictionary anywhere." No further transactions were made until May 31, when his account was "locked for security reasons." That would likely indicate someone was again trying to use Howell's account.
Drew Church was another reader that reported being victimized in the Kingdom Conquest scam. In his case, his credit balance was wiped out by the in-app purchasing. He reported that no one knew his Apple ID save for his spouse. Church is an IT administrator by day, so certainly he'd understand the risks.
Another IT professional, Barry Scheelar, reported in, although his personal experience was different. After being given a $100 iTunes card, Scheelar added it to the account. In less than 24 hours, however, all but $.60 of it had been spent by someone overseas.
In all cases, Apple refunded the users' lost balances with little trouble. However, no reason has ever been given for what may be happening -- and issues with gift cards on iTunes have existed for at least two years. At that time counterfeit cards gave hackers a way to obtain the account credentials of those tricked into purchasing the cards.
So what is going on here? It's still quite difficult to tell, but a few possibilities seem more obvious. First, the issue could lie in the in-app purchasing system. Here, an attacker could be using an exploit to make purchases against accounts that are not theirs. A second possibility is the gift card system somehow contains the exploit, which has given hackers access to account credentials. This does not explain, however, those attacked like myself who were not carrying a gift card balance.
Yet another possibility, as mentioned in my personal account on Wednesday: Apple's iTunes user logs themselves may have been compromised. If this is the case, then a large segment of users could very well be at risk from a hack without much trouble at all, or work on the hacker's part to break in.
Apple has not responded to requests for comment as of press time, and reports still are being posted to iTunes of more users finding the fraudulent charges, indicating this issue is nowhere near from being over.
Have you been hacked? Betanews is continuing to assemble reports. Email me directly: ed at edoswald dot com. Or comment below.