![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Another round of Itunes hacking
- Thread starter kodan
- Start date
- Status
- Not open for further replies.
No one's getting "hacked" on the iTunes store; you're a victim of phishing, a keylogger, or the like. I'd venture to say you've been compromised and you either don't know it, or won't admit you've been duped into giving up your info.
This.
Get a better password and watch what you click.
Umm I know how to avoid phishing and its really amazing that its ONLY itunes accounts and its been happening to many people since july 4th. I have a 11digit alpha numeric password so I am pretty sure it was secure. I also use and keep up to date virus scanner and I use both spybot and malwarebyte weekly. Pretty sure I am secure. I also dont for a second believe Apple's phishing excuse. Heck its even happening to people that havent used their ITunes account in at least a year. No one has any proof that there is a keyloger or other malware or even phishing thats the culprit... Only people saying that is Apple or their fanboys.
Umm I know how to avoid phishing and its really amazing that its ONLY itunes accounts and its been happening to many people since july 4th.
Did you just say that only iTunes users are affected by phishing and/or account fraud? Really?
Also if my computer is compromised how come my bank wasnt hit... I use the info more often for it than I do Itunes. How come the actual paypal account wasnt hit instead of 14 purchases on Itunes. How come NONE of my other stuff got hit.. Before anyone claims it wasnt really Itunes or Paypal it really was since it all shows on Paypal.com and within the Itunes client.
Did you just say that only iTunes users are affected by phishing and/or account fraud? Really?
Thats not what I meant... If it was phishing and or keyloggers how come its ONLY Apple Itunes that are getting hit and no one else the people do business with. If it was phishing or keyloggers you would expect to have more than one compromise. I am not naive enough to believe that it couldnt be phishing or keyloggers in some cases nor am I naive enough to believe Apple when they say thats all it is when the problem has been ongoing for months.
CKMorpheus
[H]ard|Gawd
- Joined
- Jul 6, 2001
- Messages
- 1,034
What did the scammers buy?
Well the scammers bought the audio versions of harry potter(6 books worth) at about 32$ each on average. I wont comment too much on the highway robbery/farce that these cost 30 plus bucks. They bought 2 seasons of Queer Eye for the Straight Guy and at least two seasons of Sex and the City. There was also a very large portion of Asian songs as well(which is where I assume the scammers are profiting). I think they own the songs or something. They also had some Lord of the RIngs fans as well( bought all three of those at 10$ a pop). I might have some of it wrong I wasnt as concerned with what they bought as I am with how much they spent.
What really pisses me off is that this has been happening since July and there appears to be nothing in place to stop this. I had several of my 14 buys that were done over the course of the 5 hour spree that were for the same amounts. I also had 5 charges in less than 4 minutes that totalled $250 bucks worth and almost $375 if you widen that one window to 12 mins. Why did neither site catch that and continue to allow me to spend $652.13.... Hell two weeks ago paypal called me cause I made two donations to the same charity on same day for differing amounts(long story but was legit) to make sure I was not being scammed... Why the hell would they then let almost 700 bucks through to a site they KNOW they are currently having alot of fraud with is beyond me.
What really pisses me off is that this has been happening since July and there appears to be nothing in place to stop this. I had several of my 14 buys that were done over the course of the 5 hour spree that were for the same amounts. I also had 5 charges in less than 4 minutes that totalled $250 bucks worth and almost $375 if you widen that one window to 12 mins. Why did neither site catch that and continue to allow me to spend $652.13.... Hell two weeks ago paypal called me cause I made two donations to the same charity on same day for differing amounts(long story but was legit) to make sure I was not being scammed... Why the hell would they then let almost 700 bucks through to a site they KNOW they are currently having alot of fraud with is beyond me.
Last edited:
Paypal offers a security key for fool proof protection.
https://www.paypal.com/cgi-bin/webs...iven/securitycenter/PayPalSecurityKey-outside
Uses text messaging to make sure you are the one logging into your account.
https://www.paypal.com/cgi-bin/webs...iven/securitycenter/PayPalSecurityKey-outside
Uses text messaging to make sure you are the one logging into your account.
What really pisses me off is that this has been happening since July and there appears to be nothing in place to stop this.
The amount of accounts hacked has been extremely small relative to the total amount of iTunes accounts that exist. If hackers guess your password, there's nothing Apple can do except to invalidate the purchases and refund your money, just like any other case of credit card fraud.
Hackers did not quess a 11 digit alphanumeric password... Pretty sure they didnt brute force it either. So that leaves a keylogger or phishing. I just checked my machine again with Avast and then the trendmicro center online scanner. I also ran both spybot and malwarebytes. All clean so if there is a logger or virus its a damn good one....
I am pretty anal about not clicking links in emails even if I believe I know who it is. Its far easier and safer to just type the url for whatever site (supposedly) sent the email and check my accounts there. Plus since I use Yahoo as my primary email most if not all of the phising attempts are already sent to spam. Seem to get one a week from blizzard and it always ends up in the spam folder. I even know how to check the email headers and can spot fakes that way too....
I am not some fool that just does emails or whatever... I wont go off about how I have 4000 years in IT and it cant be my practices or my machine at fault. But I also wont fault all I do security wise and considering the "small number" of people being effected(this from apple who cant afford to tell 150million people they could get screwed) all seem to have very similar stories. When you also consider the Apple mindset of deny its our problem, we didnt mess up we cant we are too good for that, I think you should maybe give me the benefit of the doubt when I think I Apple was hacked or at least not act like I am a retard.
I am pretty anal about not clicking links in emails even if I believe I know who it is. Its far easier and safer to just type the url for whatever site (supposedly) sent the email and check my accounts there. Plus since I use Yahoo as my primary email most if not all of the phising attempts are already sent to spam. Seem to get one a week from blizzard and it always ends up in the spam folder. I even know how to check the email headers and can spot fakes that way too....
I am not some fool that just does emails or whatever... I wont go off about how I have 4000 years in IT and it cant be my practices or my machine at fault. But I also wont fault all I do security wise and considering the "small number" of people being effected(this from apple who cant afford to tell 150million people they could get screwed) all seem to have very similar stories. When you also consider the Apple mindset of deny its our problem, we didnt mess up we cant we are too good for that, I think you should maybe give me the benefit of the doubt when I think I Apple was hacked or at least not act like I am a retard.
I was doing some more research and found the blog of the guy that blew open the whole july 4th deal.
If this guy is right its actually pretty huge.
http://www.alexbrie.com/archives/238
******this next part is cut paste from his article***************
I believe that what Nguyen did was purchase a bunch of such hacked accounts, which he used on a daily basis to make purchases across his own apps. Based on my estimates from here, it is hard for me to believe that one can make around 100 purchases per app for each of his 41 apps using only 400 compromised accounts, during at least 1 month and a half, without being noticed by the rightful credit card owners. Actually it’s impossible – since you can not re-purchase the same app using the same account, and since each of the apps has been downloaded at least X(days) times N(number of purchases needed to keep spot #9 in the ranks), this means that each app must have been downloaded at the very least 100(purchases) times 30(days) – so Nguyen must have used at least 3000 different accounts for his deeds(although they were probably twice as that). Just notice that, even if he did use hundreds or thousands gift cards as an alternative payment method, he’d still have needed different accounts to make the purchases.
Why would anyone go through such trouble, and why would they pay up 30% in sales commission to Apple? [rephrased here since it was confusing for some]
It’s classic money laundering – you turn an illegal revenue(credit card fraud) into a legal one(iTunes developer).
To sum my ideas up, the number of compromised accounts one needs in order to make such purchases during a long period(and, most of all, without being detected) is much too big to be ignored.
The complexity of doing this kind of tasks(one has to log in with a stolen account id, make purchases of all 41 apps, log out and then do it again for hundred more different accounts) makes only three options plausible:
1.first one, is that the fraud was automated, by some scripted program.
2.second, that the fraud was done by hacking the iTunes servers and doing this while skipping the normal security steps
3.third one, and the scarier, is that this is an organized venture and that there are, somewhere, tens of people working on their computers, repeating daily the same repetitive steps I described. The results(millions of dollars) are totally worth it..
So, do you now believe me that this might be a whole wider story than Apple simplistically dismissed of?
******** end of my cut paste from his site*************
If this guy is right its actually pretty huge.
http://www.alexbrie.com/archives/238
******this next part is cut paste from his article***************
I believe that what Nguyen did was purchase a bunch of such hacked accounts, which he used on a daily basis to make purchases across his own apps. Based on my estimates from here, it is hard for me to believe that one can make around 100 purchases per app for each of his 41 apps using only 400 compromised accounts, during at least 1 month and a half, without being noticed by the rightful credit card owners. Actually it’s impossible – since you can not re-purchase the same app using the same account, and since each of the apps has been downloaded at least X(days) times N(number of purchases needed to keep spot #9 in the ranks), this means that each app must have been downloaded at the very least 100(purchases) times 30(days) – so Nguyen must have used at least 3000 different accounts for his deeds(although they were probably twice as that). Just notice that, even if he did use hundreds or thousands gift cards as an alternative payment method, he’d still have needed different accounts to make the purchases.
Why would anyone go through such trouble, and why would they pay up 30% in sales commission to Apple? [rephrased here since it was confusing for some]
It’s classic money laundering – you turn an illegal revenue(credit card fraud) into a legal one(iTunes developer).
To sum my ideas up, the number of compromised accounts one needs in order to make such purchases during a long period(and, most of all, without being detected) is much too big to be ignored.
The complexity of doing this kind of tasks(one has to log in with a stolen account id, make purchases of all 41 apps, log out and then do it again for hundred more different accounts) makes only three options plausible:
1.first one, is that the fraud was automated, by some scripted program.
2.second, that the fraud was done by hacking the iTunes servers and doing this while skipping the normal security steps
3.third one, and the scarier, is that this is an organized venture and that there are, somewhere, tens of people working on their computers, repeating daily the same repetitive steps I described. The results(millions of dollars) are totally worth it..
So, do you now believe me that this might be a whole wider story than Apple simplistically dismissed of?
******** end of my cut paste from his site*************
Hackers did not quess a 11 digit alphanumeric password... Pretty sure they didnt brute force it either. So that leaves a keylogger or phishing. I just checked my machine again with Avast and then the trendmicro center online scanner. I also ran both spybot and malwarebytes. All clean so if there is a logger or virus its a damn good one....
And if the iTunes account servers are being hacked, then the perps aren't very ambitious, because only a couple of hundred accounts have had problems.
And if the iTunes account servers are being hacked, then the perps aren't very ambitious, because only a couple of hundred accounts have had problems.
If you actually read the article from the guy that exposed the first round of July 4th hacks at the link I posted up the page you find that it was at least several thousand people not several hundred and thats being conservative. You would have had to have bought 123000 units of the 41 apps over the 1.5 months and you cant do that with just 400 accounts or you had to manipulate it from the back end and avoid the secuirty checks Apple has. Each one of the apps can only have been bought on one account (cant buy same app twice on an account).This is actually pretty scary if hes right.....
*******Here is the relevant comment cut from his blog....*****************
My math above was just saying that any single app (out of the 41) should have been purchased at least 3000 times, which you must do with separate accounts. This is because the strange behavior of those 41 apps had been displayed for over a month, and not in a single day.
Or, to speak more Math for you:
* just like you said, 400 accounts would be able to provide 400*41 = 16400 purchases.
* but, to have 41 apps downloaded 100 times each over the course of a full month, you’d need 41* 100*30=123000 purchases; that’s 7.5 times more than what 400 accounts could have provided; so we can only deduce that at least 7.5*400=3000 should have been used..
*********************** end of cut******************************
Terpfen I pray one day you get bit by something like this. Its people with smug attitutdes that insist that it wasnt the big wonderful companies fault that scream the loudest when they get screwed and damn I hope I hear you scream.....Oh and according to the same dude these guys were pulling in over 20 GRAND a day so thats pretty ambitious to me. They had manage that for over a month and a half before they got caught so lets see $20,000x 45 days is $900,000. I would call a million dollars a month in income from a scam petty ambitious. There are also still questionable apps and developers on Itunes right now. I am done with ITunes over this though.
Last edited:
- Status
- Not open for further replies.