

The Towson Hack: The mystery of vanishing iTunes credit - louvetian
http://www.macworld.com/article/161794/2011/09/the_towson_hack_the_mystery_of_disappearing_itunes_credit.html

======
jonknee
"One plausible explanation: Hackers familiar with the technique are selling
access to hacked iTunes accounts with store credit to burn. Perhaps if you're
willing to pay a hacker $10, he'll give you access to a hacked account with
$50 of credit—and perhaps Sega's game proves quite popular with folks willing
to make that deal."

I can't imagine they are selling accounts to people who are actually using
them and no one outside has noticed. If you want to steal apps there are
easier ways than trying to purchase a compromised iTunes account. Stealing an
account or purchasing a stolen account is a good way to get in a lot of
trouble (it also shouldn't be hard for Apple to figure out who's doing the in-
app buying--you have their device ID). This is for in-game credits, so simply
jail breaking and installing from Hackulous won't do the trick, but I have
doubts that a bunch of people want to risk going to jail just to play
KingdomConquest on iOS.

They're converting in-app purchases to cash somehow.

~~~
AndyJPartridge
This was my thought.

In the past I have bought in-game money with real-world money. A character
would turn up in the game to meet your character at a pre-determined
locations, and complete the deal. (Usually ;-) )

I'm guessing something like this is happening. If that was the case, I'd like
to think between Apple and Sega they could work out privately between
themselves who may be involved in this.

------
gravitronic
An excellent comment from the original article:

 _"Their store credit is being drained before PayPal because that's how iTunes
works, uses your credit first. You don't have to choose credit vs. PayPal.

They aren't hacking those that use Credit Cards (VISA, MasterCard etc) because
any purchase from a new device has to confirm the security number on the back
of the credit card.

Thus the attack is only going after open (non credit card) accounts, possibly
phishing, possibly dictionary attacks, or any other form of hacking."_

~~~
mmuro
A simple explanation...and probably the correct one.

------
coffeedrinker
When I first read about this (some weeks ago) it seemed to me that it was more
likely a database failure since the address fields in the accounts were all
being set to the same thing.

That is, valid purchases were being made, but the wrong account was being
charged/edited.

Of course, I have no proof of this. It simply struck me as strange that a
hacker would reset the town to the same thing in the accounts. What purpose,
unless it was the hacker's signature.

------
eps
Let's throw some theories around, shall we?

I would guess that this an inside job that exploits a flaw in an account
address change procedure. That would explain why Apple couldn't resolve the
problem by patching up iTunes protocol, which would be the reasonable thing to
expect if the flaw was exploited from the outside.

~~~
Wilduck
I would guess it's a phishing/brute force scam, and the address change is (as
mentioned in the article) just a way to validate that it worked.

I would say that Apple's actions around refunds are just a simple way to make
sure they don't take too much bad press while they try to find a way to
prevent this from happening.

------
matdwyer
I had unauthorized purchases on my itunes account for the following:

10 songs from this guy who I've never heard of - <http://stantonlanier.com/>
and N.O.V.A. - Near Orbit Vanguard Alliance, v1.2.1, Seller: Gameloft (12+)

Both were from my store credit in the span of a day. I changed my password and
have been good since then, didn't think about complaining to apple as it was
only like $15.

~~~
abcd_f
Where is your iTunes installation? Windows or Mac? It'd be interesting to see
what people who had this problem have in common in terms of their setup. It
might just be some sort of trojan/rootkit making rounds.

~~~
matdwyer
Both Mac & Windows, although at that time it would be primarily Mac.

Three devices (2 iPhones & an iPad).

For what it is worth, I was using the same password as my "normal" internet
pass. Promptly changed to unique one and that saved it, so not sure if it
could have been a phising thing or a stolen pw (although I'm typically very
diligent about it)

~~~
jcarreiro
I can't recommend 1password enough. There is no substitute for having a
unique, long, alphanumeric+symbols password for every web site you use. If you
use the same password for multiple sites, then your entire online identity is
only as secure as the weakest site.

Disclaimer: I am a satisfied 1password customer (iPhone and OS X) who is not
affiliated with the agile.ws team in any way.

~~~
CrazedGeek
Alternatively: <http://xkcd.com/936/>

------
spauka
This is certainly an interesting hack attempt, and it certainly sounds like
Apple is compensating people affected out of their own pocket.

If the hack is genuine, it reflects one of the biggest problems Apple has, in
that while they may be able to handle individual complaints quite well, they
fail completely at handling overarching issues that affect a large number of
people, which just permeates the impression that you sometimes get that Apple
is a completely closed culture, not subject to outside scrutiny. This is not a
good thing.

At any rate, I am certainly intrigued, and I hope very much that if Apple does
nail the issue, they release details. Which may be optimistic...

------
JacobAldridge
One possible thought of why they use the Store Credit but not Credit Cards: If
you hack my Visa, and I report it, Visa will put a stop on the payment (if
caught in time); but it seems like Apple is simply _refunding_ the Store
Credit.

If the criminal/s (or the original instigator/s at least) are using the Store
Credit to buy their own Apps, they wouldn't want the payment to be stopped.
Seems like Apply is giving them that payment (less Applue's 30% of course) and
refunding the victim - Apple is out of pocket, but the criminal is still paid.

~~~
alex_c
That seems risky. Apple presumably knows the identity of app developers, since
it needs to send them payment. It shouldn't be too hard to detect a pattern,
where certain apps are bought with stolen iTunes credit much more often than
others.

~~~
mattmanser
The article mentioned in-game credits, I wonder if this could be a real money
trading scam for in-game credits or item. Although I must admit I have no idea
if the game mentioned allows in game trades which are crucial to allow RMT.

If so it's not so risky as the sucker will end up being the player who bought
the items and I doubt anyone ever pursues their claims as they've invariably
violated the TOS of the game.

Edit: The more I think about this, the more genius a way to monetize this hack
it is.

------
ChuckMcM
Well previous hacks had the goal apparently of elevating malware to the top of
the 'paid' app category. This might be similar, but it might just be a penny
pinching campaign not unlike a fractional cent interest sweep or a stored
value card chargeback scheme.

The address change is probably the 'verification' step to be sure they have
the correct password.

