Scores of iTunes users have had their accounts hacked and used to buy software, much of which was in the form of pirate manga apps. Some users report thousands of dollars in fraudulent purchases.
Apple for its part only acknowledges banning some developers in connection with “fraudulent purchase patterns,” and then suggests cancelling any cards linked to a compromised account.
The incident began with a developer, identified only by the Vietnamese name “Thuat Nguyen,” publishing iPhone apps on the iTunes App Store, most of which were apparently book apps, including a large number of pirate manga apps.
Reportedly, users who downloaded these apps found their accounts hacked and used to buy other apps by the same developer, which soon projected these apps into dominating the charts for their respective categories.
• A number of iTunes accounts have been hacked from across the globe, not just the US, and used to purchase apps.
• The app developer that began this entire investigation has now had their account (and apps) removed, but we’ve discovered a number of other developer accounts with very similar, if not more “innovative”, approaches to stealing users money. The Apple App store is filled with App Farms being used to steal.
• iTunes users have reported anywhere between $100-$1400 spent using their accounts.
• The trend: buy a couple of low cost apps ($1-$3) and then one app at an extortionate price ($90+).
• We’ve also seen a reports of a free app being bought and using in app purchases to effectively send money to the app developers accounts.
• Many of the apps have been purchased to specifically climb up the iTunes ranking to gain momentum in the hope that others will purchase the apps based on their high sales.
• Currently all the app purchased have been owned by Asia based developers with little information known about them. Clearly they feel being based in Asia will give them immunity to any US laws.
• This seems to have been happening over the course of the last 4 weeks, although MacRumors shows hacking on some level dating back to 2009.
Apple later issued one of its notorious Soviet style PR missives, quietly avoiding any mention of the fact it had just given hackers access to the credit cards of thousands of its customers and innocently suggesting those afflicted cancel their cards immediately:
The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.
Developers do not receive any iTunes confidential customer data when an app is downloaded.
If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit http://www.apple.com/support/itunes.
Reassuring indeed.
Reportedly these scams continue to be widely perpetrated. Considering the effort Apple expends in removing any prurient material from iTunes, it is remarkable to see such an anaemic response to an apparent incidence of major fraud.
Apple could develop another hybrid kernel operating system “from scratch”. They have enough resources to do this. I want a robust, non-bloated Apple product. Is that a hard thing to do?
Learn from BeOS or Amiga for crying out loud.
Malware hosted on iTunes/AppStore servers – no different than anything in the Windows world.
Malware hosted on iTunes/AppStore servers + accessing account details held on Apple-owned/contracted servers – Bad Apple / security failure on Apple’s part.
This site is pretty sweet viewing on my ipad, oh the irony.
Kill yo ass.
Because 400 out of 150mil accounts is ‘huge’ and ‘major’ issue with the system. Not to mention the hypocrisy that SC complains about Apple’s restrictive App Store then goddamn says they should moderate it MORE.
Next up: How MS is at fault when people ‘hack’ in to their Windows PC because the password is “password”.
Also lol @ every post that actually read about what the hell actually happened (as apposed to SC fanboi’s usually knee-jerk whenever a company named after a fruit is mentioned) getting down-ranked. Stay classy.
Kill they ass.