iPhone app scam likely fueled by phishing, says security expert

iTunes' permissive downloading rights may have played a part, F-Secure researchers says

It's unlikely that consumers' iTunes accounts were hacked by a Vietnamese iPhone developer, a security researcher said today.

Instead, it's more probable that users' credit cards were obtained through standard phishing tactics or keyloggers that were secretly installed on people's machines, or that iTunes accounts were accessed because of poor password practices.

"Phishing seems the more likely explanation," said Sean Sullivan, a security adviser with Helsinki, Finland-based antivirus vendor F-Secure.

Sullivan was reacting to questions about scenarios that could explain Apple 's claim that approximately 400 iTunes accounts were used to fraudulently purchase software from the iTunes App Store, driving up the popularity of 42 iPhone apps from a single Vietnamese developer, Thuat Nguyen.

Nguyen's apps were yanked from the App Store on Tuesday after Apple accused him of "violating the developer Program License Agreement, including fraudulent purchase patterns."

"Standard phishing attacks," said Sullivan when asked to speculate on the most likely way Nguyen obtained access to the iTunes accounts. "That's much more likely than someone hacking the accounts or Apple's database," he added.

Phishing attacks -- usually launched by massive spam e-mail campaigns that steer users toward a bogus iTunes account page -- are nothing new: The first phishing attack targeting iTunes appeared more than two years ago .

Ironically, the flexibility that iTunes provides customers may have played a part in the scam, Sullivan said. Unlike other online retailers -- Sullivan pointed to Amazon.com as an example -- iTunes doesn't block purchases made from computers using IP addresses in far-flung locations. iTunes users can authorize up to five computers to purchase music, apps or movies from the store.

F-Secure tested iTunes' permissiveness. Mikko Hypponen, the company's chief research officer who is based in Finland, successfully purchased content using the account of a U.S. colleague, with his permission. "An American account gives me access to iTunes from Finland," said Sullivan, who also lives in Helsinki. "Try that on Amazon, and it will say, 'Sorry, you're in Finland, you can't.'"

That flexibility would have allowed Nguyen or others living in Vietnam, China or anywhere else in the world, to illegally access U.S. consumers' iTunes accounts and order his apps. That would also explain the spike that Nguyen's software took on the U.S. App Store's bestseller list, where at one point his programs held more than 40 of the top 50 spots.

How Nguyen obtained the iTunes account credentials may remain a mystery, but Sullivan said they could easily have been harvested by phishing attacks aimed not at iTunes users, but at a much larger pool of victims.

"Another strong possibility is that the [iTunes] passwords were obtained by phishing attacks against Hotmail, Yahoo Mail or Gmail," Sullivan said, citing the three largest free Web e-mail services.

Sullivan based that bet on the fact that a sizable portion of people who go online -- upwards of 20% according to F-Secure's data -- use a single password for all their online activity, including purchasing accounts. In that scenario, once identity thieves obtained the log-in credentials of, say, Hotmail, they would try the same username -- iTunes relies on e-mail addresses for those -- and the same password on Apple's online store.

"If it's true that only 400 accounts were used, it's highly possible that a phishing campaign against Hotmail could have been how these accounts were accessed," said Sullivan. "You could easily find that many [iTunes passwords] in a Hotmail phishing attack."

Nguyen would not have had to collect the Hotmail, Yahoo Mail or Gmail account credentials himself, Sullivan noted: There are plenty of criminal groups eager to sell the information they've harvested.

Consumers can do several things to protect themselves from being victimized by similar scams, Sullivan said. "Parents buy iTunes gift cards for their children to set a spending limit, but using them is an excellent idea for everybody," he said. Users can create an iTunes account without entering a credit card by using a gift card.

"Then, if the account does get phished, or Apple's database is breached, your credit card won't be at risk," Sullivan said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags telecommunicationapplicationsMobile and WirelessMobile Apps and ServicessecurityMacintoshf-securesoftwaremobileApple

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?