Cybercriminals have illegally obtained iTunes user accounts and are auctioning them on taobao.com, China’s largest online store. The criminals are offering interested parties the opportunity to buy $200 worth of digital products from iTunes for prices ranging up to $30, according to a report by the Global Times newspaper.
The only restriction: buyers have to make their purchases within 24 hours of the taobao.com transaction.
A Global Times reporter wired $5 to a seller through taobao's online payment system, which then provided a username and password to iTunes. Upon accessing the account, the credit card details of a user appeared in the payment information section with a US billing address.
Xu Yuanzhi, a Chongqing-based IT expert, said that the cybercriminals either directly hacked iTunes accounts owned by foreign users or stole the details of overseas credit cards, which were then used to register several iTunes accounts for purchase. "A 24-hour limit is out of concern that the legitimate user will discover his account being violated and cancel his card within this period", Xu told the Global Times.
Paul Vlissidis, technical director at NGS Secure, said that it is not clear whether the iTunes accounts were set up fraudulently or whether the accounts were stolen.
“This case is yet another example of how hacking can be viewed as profitable, and therefore the utmost vigilance is necessary from companies in the online services space. There is little users can do if the service provider is hacked and their data is stolen – in this case it would seem that the provider has questions to answer. However, if the user accounts have been harvested as a result of weak passwords then, to some extent, the users only have themselves to blame”, he commented.
Vlissidis stressed that individuals need to take responsibility for their own information security. “It isn’t rocket science – it’s about using robust passwords, not sharing passwords between sites, and checking account histories and credit card statements regularly to detect any unusual transactions that might indicate a breach.”