The Towson Hack: the Mystery of Vanishing ITunes Credit

Since November 2010, hundreds of customers have seen their iTunes gift card balances drained by mysterious unwanted purchases

1 2 Page 2
Page 2 of 2

Do you need to panic? It's hard to say. Apple does solid business with its iTunes gift cards; with well over one hundred million iTunes customers, you'd expect the Internet to grind to a halt, choked by customer complaints, if every dollar of iTunes store credit were stolen by malicious folk. By the same token, targeting only a tiny percentage of iTunes users works in the hackers's favor: As with most malware and phishing attacks, the hackers can still net a good return while remaining beneath the radar.

Apple suggests that the Towson Hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms. If Apple's right, that means that somehow the hackers are then logging into all the accounts they've captured each day, checking for iTunes Store credit to exploit. That's no small task, and a tough one to pull off while evading detection. But the fact that the only constantly-reported hack involves stealing store credit makes this theory less plausible. Craig Williams saw his PayPal account hit, too--but only after the hackers started with his gift credit.

Why aren't the attackers just as willing to use credit cards linked to iTunes account to make these unwanted purchases? Perhaps they are making rogue credit card purchases too, but almost no one has noticed or reported such abuse--unlike the store credit theft victims, who report the issue in droves. It's possible, yes. But it's not likely.

You were warned

As we said at the outset: This isn't a great mystery. We still don't know whodunit, why the attack targets exclusively gift credit, and whether Apple will ever be able to block or detect the rogue store-credit-powered purchases preemptively.

In other words, we're no closer to knowing how the Towson Hack really works. There was a time you could purchase hacked iTunes accounts in China, but again, you'd expect that if the accounts themselves had been phished or hacked, we'd see fraudulent purchases that didn't rely on store credit. It thus seems more probable that whatever the means of the attack, it does somehow require that store credit be present to work.

The one thing we may have a better understanding of is motivation. It's possible that the Towson Hack is exploited by different malfeasants, towards different ends. The more common scenario involves the submission of functional-but-insusbtantial apps to the App Store, followed by making repeated purchases of (or from within) those apps with stolen iTunes credit--to make money on the "sales." But in some cases, hackers who've found a way to exploit the Towson Hack appear to be profiting from it not by "buying" copies of their own apps, but rather by selling access to accounts with gift credit for others to use.

Of course, that doesn't really explain how the Towson Hack works in the first place.

It's entirely possible that Apple's analysis is spot-on. If Apple is indeed correct, then the Towson Hack is really a traditional password hack. Indeed, a few Towson Hack victims report that they received email notifications from Apple about too many login attempts on their accounts in the days leading up to their gift card thefts--which would suggest brute-force password breaking attempts.

So maybe hackers are breaking into iTunes accounts through aggressive password cracking, and then they only steal gift card credit because it's a bit quieter and less obvious than racking up credit card charges. Maybe they use an automated hacking process that first attempts to change your billing address to confirm that they have access, and only then do they start spending your credit. That seems a bit far-fetched, though; it appears as though the hackers explicitly target accounts with gift cards, as opposed to breaking into everyone's accounts and only attacking the ones with credits.

Apple apparently believes that the Towson Hack isn't iTunes-specific--that it's simply a traditional hacking attack that happens to target iTunes; otherwise, it seems as though the company would have changed something since November 2010.

But it's far from clear if that theory is correct. Until or unless Apple can confirm and fix the exploit, it's up to iTunes customers to watch their accounts very closely.

[Lex Friedman is Macworld's staff writer.]

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.