The Towson Hack: The mystery of vanishing iTunes credit

Back on November 28, 2010, a user named stereocourier started a thread on Apple’s support forums. The poster claimed that—without his knowledge or consent—someone spent more than $50 of his iTunes Store credit on iPhone apps. The user had no credit card linked to his account; all the mysterious purchases drew from his store credit. Oh, and stereocourier also noted that various personal details were changed on his account; specifically, his home address was replaced with an address that he didn’t recognize in Towson, Maryland.

As of this writing, that discussion thread has since swelled to more than 45 pages, with nearly 700 posts. Someone—or some group of someones—seems to be able to spend iTunes gift card credit without permission, buying apps that users don’t want. And whoever’s doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.

This is a mystery story, but it’s not a great one. A great mystery generally involves a detective who gathers the evidence, performs an investigation, and finally issues the spectacular reveal: the motive, the guilty party, and—if all goes well—the punishment. In the mystery of the Towson Hack, unfortunately, we’ve got a crime, evidence, and a motive, but no justice, and no real resolution. Consider yourself warned.

The background

In the days and months after stereocourier’s initial forum post at Apple’s site, numerous other users shared similar stories of iTunes Store credit going missing, with receipts arriving that detailed purchases the affected users hadn’t made—$42, $20, $35, $10; no amount of store credit was too small to swipe. In case after case, when the affected customers reached out, Apple customer service representatives agreed to refund the store credit just this once, but acknowledged no wrongdoing or iTunes hacking of any kind.

And, in case after case, the affected users’ addresses were changed to Towson, Maryland. By January 2011, however, it seems that either the attackers got smarter, or other hackers caught on to their process. By that time, towson md itunes was a Google suggestion that led to many Web posts from folks detailing similar stories of iTunes store credit gone missing—a trend that continues today. So come January, though the key theft at the heart of the Towson Hack remained constant, some customers started reporting that their store credit went missing even though their iTunes account information went mostly unmolested. Many users also started to report that their credit cards were unlinked from their iTunes accounts at the same time their store credit funds were depleted.

Many customers whose store credit was stolen noted that the purchases centered on a handful of apps from specific developers. One of those developers was “gao jing,” the name behind apps like Expert Guide for Black Ops, Cheats Guide for Black Ops, Weapons Guide for Black Ops, and Game Guide for New Vegas. Notably, none of those apps remain in the App Store as of this writing; however, Apple declined to comment on the reason for their removal from the store. Other customers noted that the purchased apps on their accounts were all from other developers, including “Hongbin Suo,” “lane ma,” “Yang Yun,” “KAMAGAMES,” and “Lakoo.” Many of the purchased apps, or the companies behind them, appeared to be Chinese in origin.

Bob Seifert lives in Wisconsin, and his story is a typical one. “Early in the morning on August 12,” he told Macworld, “I had gotten an email stating that my account was used to purchase [the free app] Instagram” from a device not previously linked to his account. “Shortly after that, I got another email, stating that another free app was purchased—a Chinese one, this time. And then, they made an in-app purchase through that app of $19.99 for some in-game currency of some sort.”

Seifert had never heard of the game before, and says he didn’t download it or make the in-app purchase. When asked if he had ever potentially typed his iTunes password into a Web form, perhaps succumbing to a phishing attack, he replied emphatically: “No, absolutely not. I actually work in the IT department at a large company, and I’m well aware of phishing. I’m closely related to the Information Security group here [at work], and I use overly-complicated passwords for all my stuff.” The rogue purchase on Seifert’s account all but drained what was left of a $25 gift card he’d only keyed in “two to three weeks before the hack.” Interestingly, though Seifert also received an email from Apple confirming that he’d made a change to the billing address on his account, he still saw the correct address (and not Towson) when he logged in.

As is typical of the retellings on the forum thread, Seifert contacted Apple and Apple eventually refunded the purchases—but the company acknowledged no larger issue, and said that the refund was a one-time courtesy. Nor has Apple provided any formal statement on the Towson Hack—not in emails to customers that Macworld could locate, not on its site, and not anywhere else.

The Sega segue

One theory that several victims put forth on Apple’s forum was that the Towson Hack was really devised by rogue developers, who have created largely bogus apps and then used other customers’ gift credit to purchase those apps—scoring ill-earned cash in the process.

Some folks found that their stolen gift credit didn’t go towards the purchase of unwanted Chinese apps, though. Starting in late April, some customers found that instead their funds were making in-app purchases for a game from Sega called KingdomConquest. It certainly seems unlikely that a large corporation like Sega would intentionally involve itself in malicious behavior like the Towson Hack, suggesting that perhaps something was going on beyond just racking up sales of bogus apps.

Customers who fell victim to the KingdomConquest variant of the Towson Hack didn’t own the original app, and certainly never went into the game to make in-app purchases with their store credit. Somehow, hackers were able to “buy” the free app on victims’ iTunes accounts, and then trigger the in-app purchases.

In its own forum, Sega posted this message:

We are currently investigating this claim as well as some others, but since we have no access to any customers’ iTunes account information or transaction histories we highly recommend contacting Apple directly… Allow me to state very clearly that Sega and ‘Kingdom Conquest’ are not acting maliciously in any way.

A spokeswoman for Sega exchanged emails with Macworld, but declined to comment on the matter beyond the above forum post.

While the modus operandi stays the same, it seems clear that the KingdomConquest variant of the Towson Hack comes with a different motivation. One plausible explanation: Hackers familiar with the technique are selling access to hacked iTunes accounts with store credit to burn. Perhaps if you're willing to pay a hacker $10, he'll give you access to a hacked account with $50 of credit—and perhaps Sega's game proves quite popular with folks willing to make that deal. Without further comment from Apple or Sega, however, it's hard to say definitively. Such a scenario does seem to mark the easiest explanation of why Sega’s popular game got involved in this mess.

Towson and beyond

By June, the malicious users behind the Towson Hack seemingly started a road trip: Customers began reporting that, after their store credit was wiped out, their billing addresses changed to one of a variety of places, including Miami, Florida and Cockeysville, Marlyand.

Also in June, some customers reported receiving a message from Apple with a notably different tone. Poster UnbrknCh8n claimed that Apple wrote:

After reviewing the circumstances of your case, we determined that issuing you a refund for the items that were purchased without your permission is an appropriate exception to the iTunes Store Terms and Conditions, which state that all sales are final. A refund in the amount of $49.97 will be credited to your iTunes account.

That admission that the purchases were made “without permission” remains the closest that Apple has gotten to actually acknowledging the existence of the Towson Hack.

But even that concession has not been codified among the echelons of Apple’s customer service: Another user—eric.h.210—claimed that Apple wouldn’t refund his fraudulently-incurred charges because it was his second time falling victim to the attack.

Apple’s band-aid

And the Towson Hack continues unabated. Newly-victimized customers join in the discussion at Apple’s site quite regularly—daily, since Macworld began monitoring the thread last month.

Around June of this year, Apple began emailing customers who purchased apps from devices not previously linked to their iTunes accounts. For example, if you bought a new iPhone, and then purchased an app from that iPhone, you’d receive an email reading in part:

Your Apple ID was just used to purchase [the app in question] from the App Store on a computer or device that had not previously been associated with that Apple ID. If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.

The email provides links to pages at Apple’s site for changing your iTunes password and improving your overall security. It doesn’t provide a direct link to report that the purchases were unauthorized, though. And while the message may be working to alert customers when they’ve fallen victim to a hack such as this one, it’s not stopping the theft from occurring.

The hack gets scarier

Craig Williams, who lives in Oregon, adds a slightly new wrinkle to the Towson Hack. He was hit back in June. “I woke up and had several emails from PayPal confirming small iTunes purchases.” When Williams mentioned PayPal, his story initially seemed unrelated; PayPal-related exploits almost universally stem from successfully phished PayPal passwords.

But here’s the thing: Williams did get victimized by the Towson Hack first. “After investigating, I saw that my gift card balance had been drained as well.” Piecing together his iTunes purchase receipts, Williams saw that the gift card balance went first—“about $20 or so”—and only then was his iTunes-linked PayPal account attacked. “Fortunately,” Williams says, “they only used about $100 from my PayPal account.” In Williams’s case, all the stolen funds went to in-app purchases in Sega’s KingdomConquest game.

Anne Robson’s gift credit was stolen for in-app purchases in KingdomConquest, too. But the added detail in Robson’s case is even more troubling: Robson lives in the UK. In an email to Macworld, she explained how she “loaded up a £25 gift card… [most of] which was stolen from my account in the space of about 5 mins one Friday afternoon” in June, over the course three transactions. But here’s where Robson’s story gets (even more) alarming: “While my account was locked down by Apple following me disputing the transaction, a further attempt was made to take money out.”

Apple couldn’t explain to Robson how anyone could attempt to purchase apps with her account while it was locked. Apple locks accounts when you report fraud, just as your credit card company prevents your card from incurring subsequent charges when you report it stolen—in theory, it should be impossible to even log in to an account after it’s been locked.

Robson’s case might indicate that the ne’er-do-wells behind the Towson Hack somehow muck with iTunes accounts via methods so insidious that they bypass Apple’s blocks. Or, her case might simply be a fluke—an erroneously-applied block or an outlier.

When Macworld contacted Apple about the Towson Hack, the company provided a written statement reading:

We’re always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about any unauthorized purchases, and be sure to change your iTunes account password right away. For tips on protecting your iTunes account security visit www.apple.com/support/itunes.

As useful as that information may be, it fails to address the crux of the issue: stolen store credit. And, as with the individual cases of reported theft, Apple’s statement makes no mention whatsoever of any sort of systematic hacking like the kind that appears to be at the root of this phenomenon.

Now what?

So what’s a concerned iTunes customer to do? Apple has generally seemed responsive to customers affected by this issue, and eventually refunded their money—but only, it appears, when customers first report the problems themselves. If you add store credit to your iTunes account and don’t spend it immediately, you need to watch your balance very closely. Check your iTunes purchase history from within iTunes, to make sure you didn’t purchase any apps unknowingly.

It seems likely that an iTunes exploit exists that allows hackers to steal gift card credit from customers—if so, that exploit has remained unpatched for close to ten months. If you believe that your account has been affected by this attack, you should report it immediately to Apple using the iTunes support form and Apple’s privacy issues contact form.

Do you need to panic? It’s hard to say. Apple does solid business with its iTunes gift cards; with well over one hundred million iTunes customers, you’d expect the Internet to grind to a halt, choked by customer complaints, if every dollar of iTunes store credit were stolen by malicious folk. By the same token, targeting only a tiny percentage of iTunes users works in the hacker’s favor: As with most malware and phishing attacks, the hackers can still net a good return while remaining beneath the radar.

Apple suggests that the Towson Hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers’ forms. If Apple’s right, that means that somehow the hackers are then logging into all the accounts they’ve captured each day, checking for iTunes Store credit to exploit. That’s no small task, and a tough one to pull off while evading detection. But the fact that the only constantly-reported hack involves stealing store credit makes this theory less plausible. Craig Williams saw his PayPal account hit, too—but only after the hackers started with his gift credit.

Why aren’t the attackers just as willing to use credit cards linked to iTunes account to make these unwanted purchases? Perhaps they are making rogue credit card purchases too, but almost no one has noticed or reported such abuse—unlike the store credit theft victims, who report the issue in droves. It’s possible, yes. But it’s not likely.

You were warned

As we said at the outset: This isn’t a great mystery. We still don’t know whodunit, why the attack targets exclusively gift credit, and whether Apple will ever be able to block or detect the rogue store-credit-powered purchases preemptively.

In other words, we’re no closer to knowing how the Towson Hack really works. There was a time you could purchase hacked iTunes accounts in China, but again, you’d expect that if the accounts themselves had been phished or hacked, we’d see fraudulent purchases that didn’t rely on store credit. It thus seems more probable that whatever the means of the attack, it does somehow require that store credit be present to work.

The one thing we may have a better understanding of is motivation. It’s possible that the Towson Hack is exploited by different malfeasants, towards different ends. The more common scenario involves the submission of functional-but-insusbtantial apps to the App Store, followed by making repeated purchases of (or from within) those apps with stolen iTunes credit—to make money on the “sales.” But in some cases, hackers who’ve found a way to exploit the Towson Hack appear to be profiting from it not by “buying” copies of their own apps, but rather by selling access to accounts with gift credit for others to use.

Of course, that doesn’t really explain how the Towson Hack works in the first place.

It’s entirely possible that Apple’s analysis is spot-on. If Apple is indeed correct, then the Towson Hack is really a traditional password hack. Indeed, a few Towson Hack victims report that they received email notifications from Apple about too many login attempts on their accounts in the days leading up to their gift card thefts–which would suggest brute-force password breaking attempts.

So maybe hackers are breaking into iTunes accounts through aggressive password cracking, and then they only steal gift card credit because it’s a bit quieter and less obvious than racking up credit card charges. Maybe they use an automated hacking process that first attempts to change your billing address to confirm that they have access, and only then do they start spending your credit. That seems a bit far-fetched, though; it appears as though the hackers explicitly target accounts with gift cards, as opposed to breaking into everyone’s accounts and only attacking the ones with credits.

Apple apparently believes that the Towson Hack isn’t iTunes-specific—that it’s simply a traditional hacking attack that happens to target iTunes; otherwise, it seems as though the company would have changed something since November 2010.

But it’s far from clear if that theory is correct. Until or unless Apple can confirm and fix the exploit, it’s up to iTunes customers to watch their accounts very closely.

[Lex Friedman is Macworld’s staff writer.]

Subscribe to the iOS Tips & Trends Newsletter

Comments