If you use iTunes, you may want to pay close attention to our next story.
Hackers are invading users accounts via phishing scams.
Hijackers buy iTunes logons from e-mail phishers expert at tricking you into typing your credentials at spoofed websites. ITunes logons also get stolen and sold off by hackers who spread computer infections containing keystroke loggers that capture logons as you type them.
Hijackers often begin by testing a few $1 purchases before moving on to larger transactions. They typically buy iTunes gift card codes, usually in $50 to $200 amounts. They then sell the codes — which can be used like cash to buy music and videos — at a steep discount, openly on the Internet. “Any online account that allows the transfer of funds can be a cash cow,” says Randy Eset, education director for anti-virus firm ESET.
Apple (AAPL) says there is little it can do about iTunes account hijacking. The company advises victims to change their passwords and contact their financial institution about being made whole.
ITunes hijacking has been happening for at least a year. It heated up after CEO Steve Jobs boasted at a June conference that Apple supports 150 million iTunes users, says Kurt Baumgartner, senior researcher at Kaspersky Lab. Cybercriminals are opportunistic, he says. They know Apple stores credit and debit card, checking account and PayPal information to enable online transactions.
Jeremy Schwartz, a 24-year-old tech contractor from Maumee, Ohio, recently had to scramble to get his bank to reimburse $87. An intruder logged into his iTunes account and used his debit card account number to buy an iTunes gift card and other items. Schwartz launched a Facebook discussion page for angry iTunes victims, and shut down his iTunes account. “I refuse to buy from a company that can’t even admit there’s a problem when the problem is pretty big,” he says.
Schwartz got his $87 back from Huntington Bank. Many others haven’t been as lucky. A common complaint: Financial institutions and Apple often both deny responsibility, leaving the consumer to eat the loss, says LaToya Irby, a credit management blogger at About.com.
Consumers should keep anti-virus protection and all software updates current, change passwords often, avoid disclosing personal information and surf the Web judiciously. “Ultimately, it is up to the users to safeguard themselves,” says Sean-Paul Correll, threat researcher at PandaLabs. Apple, he says, should consider advancing to better fraud-detection technology, more like what banks use.
AndyMac says
“I refuse to buy from a company that can’t even admit there’s a problem when the problem is pretty big,”
And what is Apple supposed to do if you are dumb enough to fall for a phishing scam or get your computer infected?
I use different password for every single website I use. In the case of Apple I only enter that password in iTunes for the App store on the iPhone. So there’s no way to get my password by phishing even if I were to fall for it.
The one thing Apple should do is send order confirmation emails more quickly. I get the idea of batching the actual purchases together before heading off to Paypal or credit card to get the money but any order should trigger an immediate email. At least then users could realize something was happening before it was too late.
KG from DC says
Hackers will be sorely dismayed when the find a 5 year old expired card on my profile… with no history of a purchase. Never cared much for iTunes outside of the free podcasts that you don’t need an account for, so *shrug*