Hacked iTunes accounts sold online
 Source: Global Times [08:08 January 06 2011]



About 50,000 illegal accounts are being sold at taobao.com, China's largest online store, at prices ranging from 1 yuan to 200 yuan. Photo: Google

By Zou Le

For merely 200 yuan ($30) a pop, an Internet user in China can purchase up to $200 worth of digital products at Apple Inc's vast music, movie and applications vault.

Far from being a benevolent offer by the fruit-favoring giant, this offer is the result of the theft of iTunes user account details stollen by hackers who then auctioned them online.

The Global Times discovered Wednesday that about 50,000 illegal accounts are being sold at taobao.com, China's largest online store, at prices ranging from 1 yuan to 200 yuan.

Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid.

The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao.

The websites show that thousands of such accounts have been sold over the past several months.

"Of course these accounts are hacked, otherwise how could they be so cheap?" a customer service representative of one of the online stores admitted to the Global Times.

He assured that the hacked accounts were safe to use due to the legitimate holders being located abroad, but he warned that the accounts needed to be used as quickly as possible. He refused to comment on the methods used to obtain the accounts.

A Global Times reporter wired $5 to a seller through Taobao's online payment system, who then provided a username and password to iTunes.

Upon accessing the account, the credit card details of a user appeared in the payment information section with a billing address in the US.

Xu Yuanzhi, a Chongqing-based IT expert who has been following the case, told the Global Times that hackers either directly hack iTunes accounts owned by foreign users or steal the details of overseas credit cards, which are then used to register several iTunes accounts for purchases.

"A 24-hour limit is out of concern that the legitimate user will discover his account being violated and cancel his card within this period," Xu said.

Apple's iTunes has become the world's biggest music retailer, with revenue at $1.3 billion in the quarter ended March 27, according to official figures.

Apple CEO Steve Jobs said in June that iTunes has more than 150 million customers' credit card numbers on file.

On Apple's homepage's Support section, hundreds of users have posted stories about hacked accounts, dating back to September.

"I never used my iTunes account ... but somehow my credit card was charged with $300," wrote "Mawsandra."

In response to the "black accounts," a customer representative at Apple China told the Global Times that the company is offering only technical support and suggested that users "better safeguard their account information."

Apple enhanced the security for iTunes in July by requiring more frequent entries of credit card security codes when making purchases, but some say the company should do more.

"Apple can easily detect any fraud were they willing to do so," Xu said, explaining that Apple is technically capable of monitoring the suspicious transactions and blocking the accounts immediately. "But they are reluctant, as doing so would affect their business."

Jin Fei, a Beijing-based Internet security expert, called the practice "organized crime."

According to Jin, there are five trojan virus production-and-distribution groups in China, with more than 300,000 people engaged in developing and selling the virus used to secure the account information.

Cai Haining, deputy director of the Committee for Information Network and High-Tech with the Lawyers' Association of China, told the Global Times that Taobao should shoulder joint responsibility for its failure to supervise the legitimacy of products being sold on its website.

"It should require sellers to stop selling products if they are found to be illegal, or it should take the blame," Cai said.

Song Shengxia and Zhu Shanshan contributed to this story

Hacked ITunes Accounts Continue to Sell in China
 The sale of iTunes accounts that have reportedly been hacked has yet to be stopped by Apple or the Chinese e-commerce site hosting the sellers.

By Michael Kan
Fri, January 07, 2011

IDG News Service — The sale of iTunes accounts that have reportedly been hacked has yet to be stopped by Apple (AAPL) or the Chinese e-commerce site hosting the sellers.

Merchants on the Chinese retail site Taobao.com have been selling iTunes and Apple App Store accounts filled with US dollars for bargain prices. Some services allow the purchase of US$100 worth of products on iTunes for merely 55 yuan ($8.30).

But the Chinese media has reported that hackers obtained thousands of the accounts sold on the site.

The merchants themselves, however, have not said where the accounts have come from. One merchant only said that "maybe" the accounts had been obtained from hackers, but added that the services were legal to buy because the accounts originated from the U.S. Another merchant could not identify where the accounts had come from.

The accounts sold online often state that buyers should make their purchases within 12 hours. This is likely made in order to prevent the real users of the account from noticing the unauthorized transactions and cancelling their credit card information.

How the users stole the account information, however, is still unclear, said Zhao Wei, CEO of Chinese security company Knownsec. Hackers may have originally tried to obtain these accounts by stealing the information on iTunes gift cards. But now they could be developing methods to steal user account information from computers and iPhones, he said.

Apple did not specifically address the problem of hacked iTunes accounts. "We're always working to enhance account security for iTunes users," it said in a statement, adding that users should change their iTunes password immediately upon finding unauthorized purchases.

Taobao has also taken no action. The company said it has received no information from Apple on the accounts, and that no valid takedown request has been received.

Users in the U.S. have complained about scams with iTunes accounts since 2009. In some cases, scammers likely obtained the accounts by sending out fake e-mail messages purporting to be from Apple to trick users into giving up their usernames and passwords.

The stolen iTunes accounts are all the more attractive in China because many consumers there have no way to create legitimate accounts of their own. The Chinese iTunes store only accepts payment by credit card, something many Chinese consumers do not have.

(Robert McMillan contributed to this story.)

Sounds like I may have made the right decision.

Originally Posted by: Zero2Cool