Hackers invade iTunes accounts

From the August 26, 2010 edition, USA Today, page B1

By Byron Acohido 

Cybercriminals are stepping up the hijacking of Apple iTunes accounts, often leaving consumers distraught.

Hijackers buy iTunes logons from e-mail phishers expert at tricking you into typing your credentials at spoofed websites. ITunes logons also get stolen and sold off by hackers who spread computer infections containing keystroke loggers that capture logons as you type them.

Hijackers often begin by testing a few $1 purchases before moving on to larger transactions. They typically buy iTunes gift card codes, usually in $50 to $200 amounts. They then sell the codes — which can be used like cash to buy music and videos — at a steep discount, openly on the Internet. "Any online account that allows the transfer of funds can be a cash cow," says Randy Abrams, education director for anti-virus firm ESET.

Apple says there is little it can do about iTunes account hijacking. The company advises victims to change their passwords and contact their financial institution about being made whole.

ITunes hijacking has been happening for at least a year. It heated up after CEO Steve Jobs boasted at a June conference that Apple supports 150 million iTunes users, says Kurt Baumgartner, senior researcher at Kaspersky Lab. Cybercriminals are opportunistic, he says. They know Apple stores credit and debit card, checking account and PayPal information to enable online transactions.

Jeremy Schwartz, a 24-year-old tech contractor from Maumee, Ohio, recently had to scramble to get his bank to reimburse $87. An intruder logged into his iTunes account and used his debit card account number to buy an iTunes gift card and other items. Schwartz launched a Facebook discussion page for angry iTunes victims, and shut down his iTunes account. "I refuse to buy from a company that can't even admit there's a problem when the problem is pretty big," he says.

Schwartz got his $87 back from Huntington Bank. Many others haven't been as lucky. A common complaint: Financial institutions and Apple often both deny responsibility, leaving the consumer to eat the loss, says LaToya Irby, a credit management blogger at About.com.

Consumers should keep anti-virus protection and all software updates current, change passwords often, avoid disclosing personal information and surf the Web judiciously. "Ultimately, it is up to the users to safeguard themselves," says Sean-Paul Correll, threat researcher at PandaLabs. Apple, he says, should consider advancing to better fraud-detection technology, more like what banks use.