Jump to content

Phishers Drain Pay Pal Accounts Via Itunes.

Recommended Posts

Update in second article. A phishing scam(collected users passwords and account data via fake popup's, etc.) that hit a large amount of people at once for money withdrawal. Apparently has been going on for a year.


Fraudsters Drain PayPal Accounts Through iTunes

Aug 23 2010

Reports are appearing this morning about a major security hole in iTunes accounts linked to PayPal. At least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.” His email was filled with nearly 50 receipts from PayPall for $99.99 each. (Update: they were for “CastleCraft, Dragon Crystals (10000 Pack), Seller: Freeverse, Inc”). He was able to catch it before his bank disbursed funds to PayPal.

But others were not so lucky. A quick search of Twitter and Facebook shows that the problem is not isolated. Joey Bruce on Twitter laments:

Someone hacked my iTunes/paypal acct and drained everything from my bank account. Life is kicking me in the balls while I’m down.

A search of public status updates on Facebook uncovers more people with the same issue:

Darn…what a day! Someone hacked into my itunes account and bought a crap load of downloads and emptied out my paypal account….grrrrr. . . . Paypal is very cooperative but there is just about no way to get ahold of itunes. I did call paypal and they assured me that they had contacted itunes and it was going to be taken care of in my favor.

so apple/itunes had a security breach & someone bought over $500 worth of music through my paypal account. just what i wanted 2 b dealing w/ while in San Diego! AWESOME!!!

Everybody watch your itunes account closely. I just got hacked for almost $1000.00 worth of software, videos and music. Hopefully paypal will refund it all. . . . This happened within the last few hours. Once transaction after another.

AT least PayPal is aware of the issue, but it seems like the problem is on the iTunes side.


aug 23 2010

The real iTunes fraud vulnerability: Gullible users

So these reports of a major security hole in iTunes, one through which people have had their PayPal accounts drained?

Not much to them, I'm told. Or, rather, not much to their assertion that Apple is at fault here. There's no security hole in iTunes, and if you've been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it's likely because you've fallen victim to a phishing scam--a variation on the one that's been around for years now. Sources close to Apple tell me iTunes has not been compromised and the company isn't aware of any sudden increase in fraudulent transactions.

As for an official comment, Apple offers this bit of common sense advice:

"iTunes is always working to prevent fraud and enhance password security for all of our users. But if your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and/or issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."

PayPal declined to comment on the issue, but told me that any unauthorized charges sent through its service will be reimbursed.

Share this post

Link to post
Share on other sites

A simple but effective solution to this type of activity would be to obtain one of paypal's offered security token devices.

Once in your hands and activated , for a small one time fee of $5.00 or at least this is the last I looked , your account cannot be accessed without typing in a six digit code presented by the token.

If your not familiar with such tokens , the actual technology of these devices I'll leave out ( what I know of it anyhow ) , is that the token has a serial number that must be affiliated with your account , the device sports a sudo random number generator , so with each press of the button , a new code appears , this is tracked through paypal's servers as well as a third party to verify the code , which changes every 40-60 seconds , or at each push of the button.

I wouldn't use paypal without it. I also use another token for my main email server that accomplishes the same thing. These tokens were originally used for corporate intranet structures , but within the last 5-8 years or so have found there way useful in the general public realm.

Be smart , take every precaution possible.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Speed Test Version 15.9
© 2019 TestMy Net LLC - TestMy.net - Terms & Privacy