Back on November 28 , 2010 , a user named stereocourierstarted a thread on Apple ’s support forums . The post horse claimed that — without his knowledge or consent — someone pass more than $ 50 of his iTunes Store credit on iPhone apps . The substance abuser had no cite batting order link up to his news report ; all the inscrutable purchase depict from his memory mention . Oh , and stereocourier also noted that various personal details were changed on his account ; specifically , his household savoir-faire was supplant with an address that he did n’t recognize in Towson , Maryland .
As of this piece of writing , that discussion thread has since swelled to more than 45 Page , with most 700 mail . Someone — or some group of someones — seems to be able to spend iTunes giving card credit without permission , buying apps that exploiter do n’t want . And whoever ’s doing the hacking seems somewhat practiced at it : 100 of user have see their iTunes credit rating slip , and the hack shows no sign of deceleration , ten calendar month after it was first reported .
This is a mystery story , but it ’s not a with child one . A peachy mystery generally involve a police detective who gathers the evidence , perform an investigation , and finally issues the spectacular reveal : the motif , the guilty political party , and — if all goes well — the punishment . In the mystery of the Towson Hack , unfortunately , we ’ve produce a crime , grounds , and a motive , but no jurist , and no existent firmness of purpose . count yourself warn .
The background
In the days and months after stereocourier ’s initial forum post at Apple ’s site , legion other users deal like account of iTunes Store credit croak pretermit , with receipts arriving that elaborated purchases the affected users had n’t made—$42 , $ 20 , $ 35 , $ 10 ; no amount of store credit was too small to swipe . In example after showcase , when the affected client reached out , Apple customer service representative gibe to refund the store credit just this once , but acknowledged no error or iTunes hacking of any kind .
And , in case after case , the affected users ’ addresses were changed to Towson , Maryland . By January 2011 , however , it seems that either the attackers got smart , or other hack catch on to their process . By that time , towson md ituneswas a Google suggestion that lead to many Web post from folks detail similar stories of iTunes store credit die missing — a trend that continue today . So come January , though the key theft at the gist of the Towson Hack remained constant , some customers start reporting that their store quotation went escape even though their iTunes account info run mostly unmolested . Many drug user also set out to report that their recognition identity card were unlinked from their iTunes accounts at the same clip their store credit funds were deplete .
Many customers whose stock cite was slip note that the purchases revolve around on a smattering of apps from specific developer . One of those developers was “ gao jing , ” the name behind apps like Expert Guide for Black Ops , Cheats Guide for Black Ops , Weapons Guide for Black Ops , and Game Guide for New Vegas . Notably , none of those apps remain in the App Store as of this writing ; however , Apple slump to point out on the reason for their removal from the fund . Other customer noted that the purchase apps on their account were all from other developers , including“Hongbin Suo,”“lane ma , ” “ Yang Yun , ” “ KAMAGAMES , ” and “ Lakoo . ” Many of the purchase apps , or the companies behind them , appeared to be Formosan in bloodline .
Bob Seifert lives in Wisconsin , and his storey is a typical one . “ too soon in the dawn on August 12 , ” he toldMacworld , “ I had fuck off an e-mail stating that my news report was used to buy [ the free app ] Instagram ” from a machine not antecedently connect to his account . “ short after that , I got another email , stating that another gratis app was purchase — a Taiwanese one , this clock time . And then , they made an in - app purchase through that app of $ 19.99 for some in - game currency of some sort . ”
Seifert had never heard of the game before , and says he did n’t download it or make the in - app leverage . When asked if he had ever potentially typecast his iTunes countersign into a web form , perhaps succumbing to a phishing attack , he replied emphatically : “ No , absolutely not . I in reality act upon in the IT section at a declamatory company , and I ’m well aware of phishing . I ’m closely have-to doe with to the Information Security mathematical group here [ at work ] , and I use overly - complicate passwords for all my stuff . ” The rogue purchase on Seifert ’s account all but drained what was bequeath of a $ 25 gift card he ’d only keyed in “ two to three weeks before the hack . ” Interestingly , though Seifert also received an email from Apple confirming that he ’d made a change to the charge destination on his account , he still saw the correct address ( and not Towson ) when he logged in .
As is typical of the retellings on the forum train of thought , Seifert adjoin Apple and Apple finally refunded the leverage — but the company acknowledged no declamatory issue , and enjoin that the refund was a one - prison term good manners . Nor has Apple supply any schematic argument on the Towson Hack — not in electronic mail to customers thatMacworldcould locate , not on its site , and not anywhere else .
The Sega segue
One theory that several dupe put forth on Apple ’s meeting place was that the Towson Hack was really devised by rogue developer , who have created largely bogus apps and then used other customers ’ gift credit to purchase those apps — scoring ill - earn cash in the process .
Some folks found that their steal gift credit did n’t go towards the leverage of unwanted Formosan apps , though . Starting in late April , some client found that instead their stock were nominate in - app purchases for a game from Sega call KingdomConquest . It certainly seems unlikely that a large corporation like Sega would intentionally require itself in malicious behaviour like the Towson Hack , evoke that perhaps something was going on beyond just extort up sales of bogus apps .
customer who fell dupe to the KingdomConquest variant of the Towson Hack did n’t own the original app , and for sure never went into the secret plan to make in - app purchase with their store credit . Somehow , hackers were able to “ bribe ” the gratis app on victims ’ iTunes accounts , and then trigger the in - app purchase .
In its own forum , Sega posted this content :
We are currently investigate this title as well as some others , but since we have no entree to any customer ’ iTunes account selective information or transaction history we highly recommend contacting Apple directly … let me to put forward very understandably that Sega and ‘ Kingdom Conquest ’ are not acting maliciously in any way .
A spokeswoman for Sega exchanged emails withMacworld , but declined to comment on the affair beyond the above assembly C. W. Post .
While the modus operandi stays the same , it seems clear that the KingdomConquest variant of the Towson Hack comes with a different motivation . One plausible account : drudge familiar with the proficiency are selling admittance to hacked iTunes accounts with storage quotation to burn . Perhaps if you ’re uncoerced to give a cyber-terrorist $ 10 , he ’ll give you admittance to a hack on account with $ 50 of deferred payment — and perhaps Sega ’s biz proves quite popular with folks unforced to make that spate . Without further comment from Apple or Sega , however , it ’s hard to say definitively . Such a scenario does seem to mark the easiest explanation of why Sega ’s popular plot got involved in this mess .
Towson and beyond
By June , the malicious users behind the Towson Hack on the face of it started a road trip : Customers began report that , after their store credit was wiped out , their billing speech changed to one of a variety of spot , include Miami , Florida and Cockeysville , Marlyand .
Also in June , some customer reported obtain a message from Apple with a notably different flavor . bill UnbrknCh8n claimedthat Apple wrote :
After reviewing the circumstances of your pillowcase , we determined that issue you a repayment for the items that were purchased without your license is an appropriate exclusion to the iTunes Store term and Conditions , which land that all sales are final . A refund in the amount of $ 49.97 will be credited to your iTunes accounting .
That admission that the purchase were made “ without permission ” remains the closest that Apple has capture to actually acknowledging the existence of the Towson Hack .
But even that yielding has not been codify among the echelons of Apple ’s customer help : Another user — eric.h.210 — claimed that Apple would n’t return his fraudulently - incurred charge because it was his 2d time fall victim to the fire .
Apple’s band-aid
And the Towson Hack continue unabated . fresh - victimized customers bring together in the treatment at Apple ’s website quite on a regular basis — daily , sinceMacworldbegan monitoring the thread last month .
Around June of this year , Apple began e-mail customers who purchased apps from devices not antecedently connect to their iTunes accounts . For deterrent example , if you bought a new iPhone , and then buy an app from that iPhone , you ’d incur an email reading in part :
Your Apple ID was just used to purchase [ the app in question ] from the App Store on a computer or gadget that had not previously been associated with that Apple ID . If you made this purchase , you could disregard this email . This email was direct as a safeguard designed to protect you against unauthorised purchase .
The email provides links to pages at Apple ’s land site for alter your iTunes password and meliorate your overall security . It does n’t provide a direct link to account that the purchases were unauthorised , though . And while the message may be working to awake customers when they ’ve fallen victim to a cab such as this one , it ’s not stopping the theft from occurring .
The hack gets scarier
Craig Williams , who lives in Oregon , adds a slightly new crinkle to the Towson Hack . He was hit back in June . “ I wake up and had several e-mail from PayPal confirming small iTunes purchase . ” When Williams cite PayPal , his story initially seemed unrelated ; PayPal - related exploits almost universally staunch from successfully phished PayPal passwords .
But here ’s the thing : Williamsdidget victimized by the Towson Hack first . “ After investigating , I meet that my talent card balance had been drained as well . ” piece together his iTunes leverage reception , Williams saw that the giving card balance went first—“about $ 20 or so”—and onlythenwas his iTunes - linked PayPal account attacked . “ as luck would have it , ” Williams state , “ they only used about $ 100 from my PayPal account . ” In Williams ’s case , all the steal funds went to in - app leverage in Sega ’s KingdomConquest game .
Anne Robson ’s gift credit entry was stolen for in - app purchases in KingdomConquest , too . But the tote up item in Robson ’s case is even more troubling : Robson lives in the UK . In an e-mail toMacworld , she explained how she “ loaded up a £ 25 gift card … [ most of ] which was steal from my account in the quad of about 5 Min dialect one Friday good afternoon ” in June , over the course three transactions . But here ’s where Robson ’s story gets ( even more ) alarm : “ While my account was locked down by Apple following me scrap the dealing , a further attempt was made to take money out . ”
Apple could n’t explain to Robson how anyone could attempt to purchase apps with her account while it was locked . Apple locks report when you report imposter , just as your credit card ship’s company forestall your card from get subsequent charges when you report it stolen — in theory , it should be unsufferable to even access to an score after it ’s been locked .
Robson ’s pillow slip might signal that the ne’er - do - Herbert George Wells behind the Towson Hack somehow muck up with iTunes report via method acting so pernicious that they bypass Apple ’s blocks . Or , her case might simply be a good fortune — an mistakenly - applied block or an outlier .
WhenMacworldcontacted Apple about the Towson Hack , the company provided a compose assertion recitation :
We ’re always working to enhance account statement surety for iTunes users . If your reference card or iTunes password is steal and used on iTunes you should contact your financial psychiatric hospital about any unauthorized purchases , and be certain to change your iTunes account password right away . For tip on protecting your iTunes account protection visitwww.apple.com/support/itunes .
As useful as that info may be , it fail to call the crux of the issue : stolen store credit . And , as with the case-by-case cases of reported theft , Apple ’s statement makes no mention whatsoever of any variety of systematic hacking like the variety that seems to be at the ancestor of this phenomenon .
Now what?
So what ’s a interested iTunes client to do ? Apple has broadly seemed responsive to customers affected by this upshot , and eventually return their money — but only , it seem , when customers first report the job themselves . If you add store credit to your iTunes account and do n’t spend it straight off , you necessitate to look out your rest very closely . Check your iTunes purchase story from within iTunes , to ensure you did n’t purchase any apps inadvertently .
It seems probable that an iTunes effort exists that allows hackers to steal endowment card mention from customers — if so , that exploit has remained unpatched for closely to ten months . If you trust that your account has been sham by this onrush , you should describe it straight off to Apple usingthe iTunes support formand Apple’sprivacy issues contact form .
Do you need to panic ? It ’s hard to say . Apple does whole business with its iTunes endowment scorecard ; with well over one hundred million iTunes customers , you ’d expect the cyberspace to grind to a halt , choked by customer complaints , if every one dollar bill of iTunes store deferred payment were stolen by malicious kinfolk . By the same item , targeting only a tiny percentage of iTunes substance abuser solve in the hacker ’s favor : As with most malware and phishing onset , the hackers can still net a good return while stay beneath the radar .
Apple suggests that the Towson Hack stems from faint , easy guessable passwords , and/or phishing attacks where client are fool into entering their password into drudge ’ kind . If Apple ’s right , that means that somehow the hackers are then logging into all the score they ’ve captured each twenty-four hours , find out for iTunes Store credit to tap . That ’s no small project , and a tough one to pull off while evading detection . But the fact that the only constantly - reported hack involve stealing store cite makes this theory less plausible . Craig Williams saw his PayPal account statement hit , too — but onlyafterthe hackers started with his gift credit .
Why are n’t the assaulter just as willing to use mention cards linked to iTunes account to make these undesirable purchases ? Perhaps they are micturate rogue cite card purchases too , but almost no one has noticed or report such abuse — unlike the store credit theft victims , who cover the issue in droves . It ’s possible , yes . But it ’s not likely .
You were warned
As we state at the commencement : This is n’t a great mystery . We still do n’t fuck whodunit , why the attack targets exclusively gift acknowledgment , and whether Apple will ever be capable to obstruct or find the scalawag store - credit - powered purchase preemptively .
In other word , we ’re no airless to know how the Towson Hack really works . There was a time you could purchase hacked iTunes accounts in China , but again , you ’d expect thatif the accounts themselves had been phished or hacked , we ’d see fraudulent purchase that did n’t swear on computer storage credit . It thus seems more probable that whatever the means of the attack , it does somehow require that fund credit be present to put to work .
The one matter we may have a good understanding of is motive . It ’s possible that the Towson Hack is overwork by different malfeasant , towards unlike remnant . The more common scenario require the entry of functional - but - insusbtantial apps to the App Store , followed by draw repeated purchases of ( or from within ) those apps with slip iTunes credit — to make money on the “ gross sales . ” But in some case , hackers who ’ve found a way to exploit the Towson Hack appear to be profit from it not by “ buy ” copy of their own apps , but rather by selling accession to accounts with talent recognition for others to apply .
Of naturally , that does n’t really explain how the Towson Hack works in the first place .
It ’s totally possible that Apple ’s analysis is spot - on . If Apple is indeed right , then the Towson Hack is really a traditional watchword hack . Indeed , a few Towson Hack victims account that they receive e-mail presentment from Apple about too many login attempts on their score in the days direct up to their natural endowment card stealing – which would suggest bestial - violence watchword breaking attack .
So maybe hackers are breaking into iTunes accounts through belligerent countersign cracking , and then they only steal gift posting credit because it ’s a bite quieter and less obvious than racking up credit scorecard charges . Maybe they expend an automate hacking process that first attempt to change your charge address to confirm that they have approach , and only then do they start spending your credit . That seems a bit far - fetched , though ; it appear as though the hacker explicitly target history with giving cards , as fight down to breaking into everyone ’s accounts and only attacking the ones with credit .
Apple on the face of it believes that the Towson Hack is n’t iTunes - specific — that it ’s simply a traditional hacking onslaught that happens to direct iTunes ; otherwise , it seems as though the company would have changedsomethingsince November 2010 .
But it ’s far from clear if that hypothesis is correct . Until or unless Apple can confirm and fix the exploit , it ’s up to iTunes client to watch their accounts very tight .
[ Lex Friedman is Macworld ’s staff writer . ]
