Web scam hits iTunes and Paypal users

By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

  • Published
Image caption,
iTunes app store has millions of users

ITunes accounts linked to Paypal have been targeted in a scam with a number of users complaining that they have been cleaned out.

Apple and Paypal refused to discuss the details of the incident.

Experts told the BBC that victims had most likely fallen for an e-mail scam, rather than being targeted via a flaw in iTunes or Apple servers.

"I just got hacked for $1,000 worth of software, videos and music," tweeted one victim.

Another told the technology blog TechCrunch: "My account was charged over $4,700. I called security at Paypal and was told a large number of iTunes stores accounts were compromised."

Another turned to Facebook to post details.

"My iTunes account just got hacked and someone made about $700 worth of purchases. I contacted Paypal and they said Apple has gotten so many attacks since June, they can barely keep up with reporting them all."

Apple would not comment but said that they had recently implemented new security measures.

In a statement to BBC News, Apple said: "iTunes is always working to prevent fraud and enhance the password security of all of our users.

"But if your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about cancelling the card and/or issuing a chargeback for any unauthorised transactions.

"We also recommend that you change your iTunes account password immediately."

Counter measures

Paypal and Apple would not talk about the scale of the problem or how many people or accounts had been targeted.

Paypal said that any unauthorised charges will be reimbursed.

Image caption,
Victims of the hack turned to social media to find answers and vent

However, those in the security industry said they were not surprised by the incident.

"We have been hearing about attacks on iTunes for a while and it seems it is possible to game iTunes and make money," said Dan Kaminsky, chief scientist at security firm Recursion.

"I am sure Apple are getting a rapid education in what it means to be a mechanism that fraudsters can use to steal funds, but I don't expect this to be a long-term problem or a product-threatening one.

"Apple is going to have to adjust and make investments in fraud prevention technologies but this is not a big deal."

Security experts said that most of the victims had likely fallen prey to a phishing scam.

Phishing involves using fake websites to lure people into revealing details such as bank accounts or login names.

Often the fake websites are difficult to spot because they do a good job of reproducing the website of the company they are impersonating.

Security experts warn people not to hand over their details if they have any reason to be suspicious of a website. They also point out that legitimate companies will not send e-mails asking for personal account information.

Analyst Mike McGuire of Gartner said that Apple needs to ensure it stays on top of the situation.

"If they don't aggressively sort this out, it can undo a lot of brand building and trust as they become this transaction hub for 150 million people's credit cards at last count."

Related Internet Links

The BBC is not responsible for the content of external sites.