Phishing primary cause of bogus iTunes charges

August 27th, 2010 → 6:08 am @ John P Mello Jr

Apple’s walled garden, also known as the iTunes store, showed a crack this week when reports began flooding the Internet of compromised accounts being used to siphon money from PayPal for unauthorized purchases at the online music outlet.

Sums charged to PayPal varied, but one iTunes customer claimed $4700 had been debited to his account through the Apple store by parties unknown. Other users reported more modest thefts–$500, $650 or $1000.

Although the bandits were exploiting connections between iTunes and PayPal, they exhibited behaviors associated with credit card scammers. For instance, they always spent less than $100 on an item. That’s a tactic used to stay off the radar screen of fraud trackers. It’s also a significant cut off point for merchants. At $100 or above, they’ve got to foot the bill for a fraudulently purchased item.

PayPal has denied its systems had been breached. “We’ve looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account,” the company’s chief information security officer Michael Barrett wrote in a blog.

While PayPal was advising its customers to report their problems to the company so they could be reimbursed for   any money they may have lost to scammers, Apple passed the buck to others. “We’re always working to enhance account security for iTunes users,” it said. “If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about chargebacks for any unauthorized purchases.”

While not officially commenting directly on the security of iTunes, off the record, the company discounting breach speculation. “There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a bot attack or phishing scam-a variation on the one that’s been around for years now,” John Paczkowski wrote in All Things Digital.

“Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions,” he added.

If neither iTunes nor PayPal were compromised, password theft via a phishing scam or malware infection seems like a logical inference. Indeed, it’s one a number of unnamed security experts cited when contacted by reporters following the story. But there were some oddities in the transactions involved that didn’t seem to fit a straight password pilfering scam.

For example, all the unauthorized transactions were tied to PayPal. If the scammers stole iTunes passwords in a phishing scam, why were the only users victimized those who made iTunes purchases with their PayPal accounts?

The receipts generated by the unauthorized purchases were also queer. When purchases are made at the iTunes store, a receipt is generated and sent to the purchaser. Such receipts were received by the victims of this scam. However, a comparison of subject lines in receipts performed by Charles Arthur at The Guardian revealed an interesting disparity.

When an item is bought with a credit card at iTunes, the subject line usually says “Receipt for your payment to iTunes Store.” When it’s bought with PayPal, the subject says reads, “Receipt for your payment to iTunes.” What Arthur discovered was that while PayPal was used to make unauthorized purchases, the receipts generated from those purchased contained credit card subject lines.

Despite the lingering questions about the break-in, the consensus still seems to be that they involved compromised passwords and those passwords were obtained by phishing or other forms of Net mischief.

For consumers who want to avoid becoming victims of online scammers, PayPal’s Barret offers these tips:

• Use a safe password: use a strong password which includes a combination of upper and lowercase letters and numbers. But don’t use the same password for every online account you have. That’s basically like using the same key for your house, your car, your office and your safety deposit box. If you lose that key, you’re in trouble.
• Protect your computer: use a modern, supported operating system such as Windows 7 or Apple’s OS X Snow Leopard. You should also use an updated Internet browser that blocks fraudulent websites, like Internet Explorer 8, Safari 5, Firefox 3 or higher. As always, keep your antivirus software updated.
• Don’t click on links in email: never click on links in email and then enter your username, password or other sensitive information – even if the email looks like it’s from your bank, an e-commerce site, the IRS or popular sites like PayPal.
• Use common sense: if you wouldn’t do something in the offline world, don’t assume it’s safe online. If a stranger walked up to you at a gas station and said, “Please give me the key to your house; I need to make sure there are no burglars there,” you’d probably tell him to go take a hike. Likewise, if you get an email, phone call or some other unexpected message demanding that you turn over your username and password, don’t do it. Trust your instincts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phishing primary cause of bogus iTunes charges

Tags: spam, spam gov, stop spam