Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Apple ITunes account security compromised - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple ITunes account security compromised

Seems to be ITunes accounts have been hacked to make mass purchases of one developer's app.

As a safety measure, I recommend to change your ITunes password ASAP and, if you feel paranoic like me, delete your credit card info from the account until this issue is clarified.

More information at: http://www.alexbrie.com/archives/205, http://thenextweb.com/apple/2010/07/04/app-store-hacked

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
As a work around login in into your account from the iTunes store:
- check the last items you bought;
- change your iTunes account password;
- disconnect your credit card information.

Could you please investigate Apple to get an official statement from them.
Who better than the SANS could ask information about the hack.

Anonymous
This is consistent with the multiple notifications that I've been seeing from Apple/iTunes about 'how to reset your Appple ID password (3-4 times in 1 month, none in the prior 8 years) - "If you weren't trying to reset your password, don't worry — your account is still secure and no one has been given access to it. Most likely, someone just mistyped their email address while trying to reset their own password."
Anonymous
I caution against a rush to judgment on the "hacked account" meme. There are plenty of ways for individual accounts to be "unknowingly" compromised (phishing, Windows keylogging, weak passwords [I've received plenty of notices about password reset attempts not by me, so the Bad Guys are trying]) that I'd be less inclined to believe in an iTunes systemic compromise. It's certainly possible, but IMHO down the list.
Anonymous
I agree dannyg. One of the first things I thought about were compromised hotmail/gmail accounts being used.

Often when someone's email account has been compromised, they will simply abandon it and create a new account. Afterward, many do not think to change email settings at all of the other places where they used the previous email to set up those accounts.

This is why I do not like it when online entities that want you to use an email address as a login name.
Anonymous
Agreed. Also I will not be changing my password, nor removing my credit card information from iTunes. I am beyond confident that my password is well secure and iTunes does not allow bruteforcing. I also get notifications every time I make a purchase from my iTunes account. I can swiftly have it canceled through my bank.

These accounts were most likely compromised as a result of phishing (MiM or otherwise). Perhaps there's some malware in the picture? Or perhaps did these fine gentlemen post their login details on Facebook...
Anonymous
If you think your iTunes password is secure, think again. These bad actors compromised enough accounts to move their junk items to fill 40 of the top 50 spots on the iTunes category list - they were not just phishing or pharming. Read the article linked in the original post. I changed my iTunes password and disconnected all forms of payment. Also read the AppleInsider article - http://appleinsider.com/articles/10/07/04/itunes_app_store_hit_by_developer_and_account_fraud.html

My daughter’s iTunes account was compromised and I have lived through this, wondering if it was just a fluke, that she used a weak password or shared it somewhere. It now appears that this is a serious crime spree, netting the bad actors over a million dollars from over 100 hacked accounts per day.

I only noticed it because my daughter’s account is linked to my PayPal account, which was set to use my checking account. All of the transactions (5 charges) happened in a 4 minute window at two in the morning, my time. I noticed at about 830 Am, when I checked my personal email. I ended up dealing with PayPal and my bank, and attempting to deal with Apple. Apple was impossible to deal with – email only, with days to get responses, and then they did nothing – they requested that my “financial institution” deal with them and that they could not discuss the problem with me. Really? Their security gets compromised and they can’t talk about it? Convenient.

PayPal was the best to deal with – very responsive, but unable to stop the electronic transaction from going through – it had already cleared through their system and was off to my bank. However, they did credit my money back once I filed the “unauthorized transaction” forms – and files the correct paperwork with Apple to get my money back – almost $200. (except for the gift card balance she lost in her iTunes account)

Also – think again about your bank stopping the transactions. I contacted my bank, and they said it takes 3 business days to halt an electronic funds transfer, but it only takes 1 day for the transaction to actually process. And it takes 5 days for them to look at fraudulent charge claims

Another issue I discovered during this problem – PayPal pre-approved payments. It seems that anytime you use PayPal to purchase from a vendor, the vendor sets up a PayPal relationship. I was not aware of this and nothing on the vendor websites really talks about it. I purchased shirts for my son from Woot – 3 times, weeks or more apart, $10-15 each time – nothing big. However, when I looked at the “My preapproved payments” link under my profile on PayPal; there are three entries for Woot, each allowing up to $5,000 per day and $15,000 per month in billing. The iTunes store was allowed up to $5,000 per month. I quickly deleted all of these pre-approved payments.

Moral of the story – shopping on the internet is still not as safe as people think. Our banking system is still far from the electronic age – they are unable to stop electronic transactions and take days to respond to problems.
Anonymous
My banker advised me to create a seperate checking account for direct Paypal transfers.
I only keep about $100 in it, and can manage it with the bank's online access site. That way you can manage your potential loss to such exploits.
dave

21 Posts
errr... that was supposed to be 100 dollars, evidently this site doesn't like the dollar sign?
dave

21 Posts
I prefer to use a credit card to cover my PayPal purchases. That way, I have an extra layer of fraud protection (defense in depth of a sort, I suppose), and there's an added bonus of getting credit card reward points, air miles or whatever other goodies a given card offers.
John

13 Posts

Sign Up for Free or Log In to start participating in the conversation!