It appears that after seven months, Apple is still having difficulty coming to terms with the fact that hackers are targeting iTunes accounts to purchase apps and artificially inflate the revenue received, particularly apps originating from the developer account of “Hongbin Suo”.
We exclusively revealed back in July that attackers were compromising iTunes accounts across the world, revealing not just one but a number of different developer accounts that used very similar, if not more “innovative”, approaches to stealing users’ money. Put simply, the Apple App store was filled with App Farms being used to steal.
Fast-forward to mid-February – We receive a tip from a worried iTunes account holder and Apple’s forums begin to fill up with users complaining of transactions being made on their iTunes accounts that they didn’t authorise. Reports point to apps from the developer account Hongbin Suo, particularly Texas Hold’Em and other Chinese apps which were either paid downloads or made use of Apple’s in-app purchasing.
The Texas Hold’Em app’s in-app purchasing functionality allowed attackers to purchase chips, wiping out account holders’ iTunes balances in the process.
Each user has a similar story as to what is happening to their iTunes account:
Add me to the list of people who got scammed. Someone took $21.24 for a fraudulent in app purchase for “德州撲克, 560,000 chips, Seller: Hongbin Suo” and “德州撲克, v2.0, Seller: Hongbin Suo”. After googling it, the only app I could find was Boyaa Texas Hold’em from Boyaa Company Limited, which I’ve never downloaded or used. For now, I’ll assume they are an innocent party to this.
My money was from a gift card, so I can’t even dispute it with a credit card company. I sure hope Apple comes through and doesn’t give me a hassle over it.
One thing that seems to connect each of the affected iTunes users is that they have used Gift Cards to add iTunes credit to their account:
This would suggest that the Gift Cards have been compromised in some way, either accounts are being phished after someone has bought a Gift Card via an online auction site like eBay or there is a vulnerability in the way the iTunes Gift Cards are being generated. We are looking into whether this is the case.
Users have taken to Twitter, highlighting the extent of attacks:
Apple has been slow to address the matter, in most cases issuing a standard response to the affected account holders that alerts the user that the Apple support team is looking into the issue and they should hear back in 12-24 hours. Some account holders have received a response and notification of a refund but others report waiting three days without word from Apple – others have reported issues up to 14 days previous and have not had their issues dealt with.
Given that the same apps have been purchased, from the same developer accounts, starting at the latest on February 17, Apple has been aware of the issue for over a week and it still appears users are being targeted to purchase the very same apps, despite reports filed against them.
The affected accounts are typically being charged around $25, ranging up to $50. These aren’t small purchases. The majority of accounts seem to have Gift Cards tied to them, which hopefully means Credit Card information has not been compromised (although some users have reported that their details have been amended).
The nature of the compromise could be out of Apple’s hands, if Gift Cards have been purchased via unofficial resellers, it is possible that accounts have been targeted as a result. Another thing to note is that iTunes accounts are only as secure as the details used to protect them.
The issue here is that compromised accounts are being used to purchase the same apps, debit balances for as much as $50 and continue to do so at the time of writing. It’s not the first time this has happened either.
If you are worried that you might be at risk, here’s what you should do:
- Check your iTunes previous purchases. If you spot anything you haven’t personally purchased contact Apple and your bank to try prevent any iTunes purchases from clearing.
- Get in contact with Apple. (Email link)
- Change your iTunes password
- Remove your iTunes card details.
We are looking further into this and have contacted Apple for a response. We will update you as soon as we hear back.
Read next: DEMO 2011: Day 1 [Video blog]