My final thoughts on the iTunes-related frauds

Apparently Apple gave today an official answer, to Clayton Morris, saying that only 400 accounts had been involved in the iTunes developer fraud I had made public this Sunday. They also went on underlining that we’re talking about 400 out of 150 million accounts – an extremely tiny percentage; they told how Thuat Nguyen has since been removed from the App Store for violation of the developer terms.

I’m obviously happy that Nguyen got his punishment. However, I’m a bit weary of the hasty dismissal of the core issue.
I do understand Apple is extremely interested to divert attention and claim this was a singular case. But, in my opinion (based on no other than the links and logic detailed below, Nguyen is just a scapegoat and we are not talking here of one single developer who got access to 400 iTunes accounts, but about an organized, widespread criminal activity (see thenextweb, appleinsider).

I also got word from a Chinese resident that it’s fairly common for young computer-connected people to use Taobao.com in order to purchase either direct access to other people’s iTunes credentials, or(almost untrackable) iTunes gift cards (tens of dollars worth gift cards, sold for a couple of RMB, previously purchased using similarly hacked iTunes accounts).

I believe that what Nguyen did was purchase a bunch of such hacked accounts, which he used on a daily basis to make purchases across his own apps. Based on my estimates from here, it is hard for me to believe that one can make around 100 purchases per app for each of his 41 apps using only 400 compromised accounts, during at least 1 month and a half, without being noticed by the rightful credit card owners. Actually it’s impossible – since you can not re-purchase the same app using the same account, and since each of the apps has been downloaded at least X(days) times N(number of purchases needed to keep spot #9 in the ranks), this means that each app must have been downloaded at the very least 100(purchases) times 30(days) – so Nguyen must have used at least 3000 different accounts for his deeds(although they were probably twice as that). Just notice that, even if he did use hundreds or thousands gift cards as an alternative payment method, he’d still have needed different accounts to make the purchases.

Why would anyone go through such trouble, and why would they pay up 30% in sales commission to Apple? [rephrased here since it was confusing for some]

It’s classic money laundering – you turn an illegal revenue(credit card fraud) into a legal one(iTunes developer).

To sum my ideas up, the number of compromised accounts one needs in order to make such purchases during a long period(and, most of all, without being detected) is much too big to be ignored.
The complexity of doing this kind of tasks(one has to log in with a stolen account id, make purchases of all 41 apps, log out and then do it again for hundred more different accounts) makes only three options plausible:

  1. first one, is that the fraud was automated, by some scripted program.
  2. second, that the fraud was done by hacking the iTunes servers and doing this while skipping the normal security steps
  3. third one, and the scarier, is that this is an organized venture and that there are, somewhere, tens of people working on their computers, repeating daily the same repetitive steps I described. The results(millions of dollars) are totally worth it..

So, do you now believe me that this might be a whole wider story than Apple simplistically dismissed of?

PS. this is not the first report of app farms; there are developers out there with thousands of apps in their AppStore portfolio – too many for a normal team of developers to submit, even if they didn’t need to do anything else all day(like development, for instance). As long as Apple doesn’t take more proactive steps to finishing off with the app farms(by raising the bar in regards with app submission process) and investigate(data mining, perhaps?) suspicious patterns in iTunes purchases, I guess there’ll be no end to this.

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

19 Comments to “My final thoughts on the iTunes-related frauds”

  1. Joe 7 July 2010 at 7:09 am #

    The flaw with your math is that you’re assuming that each account can only be used once. He could have bought all 40 apps with each of the 400 accounts – for a total of 16,000 purchases.

    Your “Why would anyone go through such trouble, and why would they pay up 30% in sales commission to Apple?” comment also indicates a very weak understanding of the process. The crook doesn’t pay ANYTHING to Apple. In fact, he would receive money from Apple for the purchased apps (at least until he was caught).

    Please stick to writing software since your math skills are very weak.

  2. Alex 7 July 2010 at 7:58 am #

    Joe, you seem to have seriously misunderstood my logic:

    My math above was just saying that any single app (out of the 41) should have been purchased at least 3000 times, which you must do with separate accounts. This is because the strange behavior of those 41 apps had been displayed for over a month, and not in a single day.
    Or, to speak more Math for you:
    * just like you said, 400 accounts would be able to provide 400*41 = 16400 purchases.
    * but, to have 41 apps downloaded 100 times each over the course of a full month, you’d need 41* 100*30=123000 purchases; that’s 7.5 times more than what 400 accounts could have provided; so we can only deduce that at least 7.5*400=3000 should have been used..

    As for your second remark: you are just restating my point, only you failed to understand it. I was just pointing out that crooks could usually get more money out of stolen credit card numbers, but they prefer laundering it through iTunes even if by doing so they get 30% less from it.

  3. StefaMedia (Pahon Bogdan-Andrei)

    RT: @catalintenita: si ca tot vorbim de apps, un post excelent a lui @alexbrie: http://www.alexbrie.com/archives/238

  4. Best Seller or Best Set Up? 400 iTunes Accounts Hacked | Software Testing Blog

    [...] World tracked down Alex Brie, a developer who first reported the issues, and [...]

  5. honkj 7 July 2010 at 11:39 am #

    I believe that your credit card is not exposed inside of itunes accounts, so the black hatter HAD to use iTunes to get money… they basically had to give 30% to Apple, (if they didn’t get caught)

    also you are assuming this person acted alone, he most likely had many friends helping him download, he was too greedy and got caught.

    This happens all the time, People buy compromised iTunes accounts from the black market, and buy a few songs and apps they want, they don’t usually get caught, the credit card companies reimburse the loss to the victim, but they do not go after these people in Asia…. the Credit card companies just write it off… This guy just got him self put under a microscope because he was too greedy… but that is about the only difference.

    there are 1000’s of accounts to choose from on the black market… all from people’s PC’s that are compromised, and they do not know it yet, until the account is sold.

    this guy most likely bought a few accounts at like $3.50 a pop… and started the whole download process… he most likely did not do the hacking of people’s PC’s himself.

    I doubt his intention was to get in the “top 50″… that was probably not his intent… that was a side effect of him being too greedy.

    one thing i wanted to ask? did you really say you think Apple’s servers had to be compromised to do this? why would you think that? when all it takes is lots of buys to get in the top 50 in a somewhat obscure section, which is exactly what this person was doing judging from the victims own statements that they were being charged like $600 and $1400 each…

  6. honkj 7 July 2010 at 11:41 am #

    ———–
    My math above was just saying that any single app (out of the 41) should have been purchased at least 3000 times
    —————

    3000 times over what period of time? is this what your book app achieves (in time and downloads) to be in the top 50?

  7. psychobob 7 July 2010 at 11:47 am #

    I was one of those who was defrauded by this Nguyen guy. After I noticed that the apps were not downloaded (only purchased), and that no other computes were authorized for my iTunes account, I immediately began to suspect it was some kind of developer fraud.
    Unfortunately, Apple’s “support” system is virtually non-existent. Not only are there no phone lines, the people they have interacting via email seem incapable of deviating from the standard support script.
    I am also extremely frightened by Apple’s security terms, in light of this whole fiasco:
    “You are solely responsible for maintaining the confidentiality and security of your Account. You should not reveal your Account information to anyone else or use anyone else’s Account. You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account.”
    There is something very wrong with iTunes security. The password I used was unique to iTunes – I used it nowhere else, so the thieves cannot have gotten it from any other source. I run strict security on my home computer, using a router with a firewall, my OS’s firewall, Adaware, Spybot, and even Micorsoft’s Defender and I am very careful with my information. Apple suggested that I left my bank account information somewhere or that my card was stolen, despite the fact that the only suspicious activity was one developer’s apps being downloaded to iTunes. By the time Apple’s support staff took any action, I had already deleted my card info, changed the login information for my iTunes account, and alerted my bank to the fraudulent charges. It took Apple 4 days to respond to my support request.
    Apple’s policy of blaming the user and suggesting that my bank’s (MY BANK’S) security was compromised is troublingly laughable.

  8. psychobob 7 July 2010 at 11:55 am #

    Even if it was only 400 users, Apple still made a crapload of money off this fraud. I would they will have to refund it somehow, but if the banks simply “write it off” then will Apple simply keep these profits?

    Oh, and as for hacking my computer, I did not store my password in iTunes, and I do not leave my computer on for extended periods of time either. I turn it on in the morning and off at night when I am done with work. Conversely, I assume the servers on which my iTunes account info is stored are on 24/7. Just saying.

  9. honkj 7 July 2010 at 2:29 pm #

    ————
    The password I used was unique to iTunes – I used it nowhere else, so the thieves cannot have gotten it from any other source…
    —————

    geez…. lets say your computer was hacked by a new hack, you know, the kind that your AV software has no idea about, because AV software is basically clueless about new attacks? which they are, and why they are worthless…

    why was Apple talking about your Bank account? didn’t your iTunes account get taken over? or did they create a new iTunes account with your bank info?

    , in your Account on iTunes underneath purchases, (you know, where you go to see if anything is out of order) Apple gives you the step by step process RIGHT ON THE PAGE for what you are to do if something is wrong, including contacting your Credit Card, what else are they supposed to do? hold your hand while you do it? or let you talk their ear off about how you want to blame someone else while you go through the same exact steps that are listed there for you??….

    your credit card will return your money, as they always do.

    your password was stolen, period, (unless they set up a new account) all you have to do now, is figure out how, and no, your app you downloaded didn’t do it, it has no idea what your password is. the apps that were illegally downloaded did nothing more than get purchased… they are not master thieves…

    the best guess right now is a Keylogger on your Computer. look for it… don’t rely on AV software… do some research, What is your OS? what is your update on the OS? how old is your computer… etc…

  10. honkj 7 July 2010 at 2:32 pm #

    —— Apple still made a crapload of money ———-

    uhh, Apple makes a “crapload” on the BILLIONS AND BILLIONS of regular downloads, as opposed to the “crapload” of the 400 accounts… ????

    ???? ?????

  11. honkj 7 July 2010 at 4:13 pm #

    this is what you should have done…

    Assume That You’ve Been Hacked, not doing so was the first mistake in ALL of these situations below.

    http://blogs.forbes.com/firewall/2010/07/07/bottom-line-assume-that-youve-been-hacked/

  12. Apple: 400 iTunes Accounts Hacked (PC World) | World News Daily

    [...] of the developers who initial reported the App Store problems with the Vietnamese developer, is suspicious of Apple’s claims. After his calculations, Nguyen would have indispensable during slightest 3,000 hacked iTunes [...]

  13. psychobob 8 July 2010 at 11:56 am #

    honkj, the chances of it being a keylogger are very low, IMO. I don’t remember the last time I typed my iTunes account password before my iTunes account was hacked, if ever. I don’t access my account information through iTunes on my PC (I rarely use it at all since it runs so poorly). At any rate I am using XP, which was freshly installed and updated on a new HD about a month before this fraud. Unless people have figured out how to install a keylogger on my iTouch, it seems unlikely they got my password this way. I also forgot to add that I run HijackThis from time to time to monitor what is going on. I have never found a keylogger on my machine. As for AdAware, Spybot and Defender being “basically clueless about new attacks” that is simply not true. All three of them are very good at realtime updating. I realize there are new attacks all the time, but so are these programs.

    I also misspoke. The apps were never downloaded. They were only purchased.

    I understand that Apple should not be responsible for everything that happens in my account. However, I think they should bear at least a little. As I said, although I cannot control all the information stored on iTunes, I am expected to be in charge of securing that information. Had I been aware of this, I would not have bought a $250 iTouch. Now, I can either continue to be exposed to risk through iTunes, or turn my iTouch into a very expensive paper weight.

    Those 40 apps sat in my account, purchased but not downloaded for a couple weeks, and I got no answer on how to get rid of them – until Apple deleted them from the App Store, then they simply disappeared one day.

    I have used Tiger Direct, New Egg, Amazon, and other online retailers, as well as using online banking for almost a decade and have never had my accounts hacked or used illicitly. I have been using the app store for a little over a year and it was hacked.

    I don’t know how much you make honkj, but thousands of dollars is a lot of money to me, especially in light of how most banks write off fraudulent charges. Is Apple going to keep these fraudulently procured funds?

  14. XitunesFan 13 July 2010 at 8:40 am #

    I couldn’t agree more about the complete lack or disinterest in support from Apple. I was hacked into on July 6, my bank notified me within 30 minutes and Apple refuses to acknowledge that i was part of the Nyguen hack or refund the account. Since I was part of the 400+ accounts hacked by this single person, it would seem simple and in Apple’s best interst to proactively refund all affected accounts. They certainly arn’t out any money as they will not be paying Nyugen for this fraud so Apple is left to profit from that, very poor PR for a company like Apple.

    My last response from Apple which takes 2 days between email for a response, stated that i should have my attorney contact their litigation department to settle this issue. I have never threatened to sue over $84 dollars and apple must know no one would sue. Unfortunately this whole issue is exposing me to a very poorly run customer service operation at Apple.

    No more Apple product for me unless something changes quickly.

  15. ckmaverick 24 July 2010 at 3:29 pm #

    I’ve seen honkj’s comments popping up everywhere on forums discussing ‘hacked’ iTunes accounts. In a nutshell, he seems to be an Apple brown-nose fanboy. And there have been comments by other users NOT USING PC who also had their accounts ‘hacked’, repeatedly negating honkj’s assertion that it’s PC users’ failure to recognize their own PC alleged security lapses rather than Apple’s.

    I’m a PC user, with anti-virus, AdAware, Spybot, etc. The last time I used my iTunes account was more than 12 months ago, before my account was ‘hacked’ this month. So if there was a keylogger on my PC, why wait for 12 months before logging into my iTunes account now?

    honkj, why are you defending Apple blindly? Maybe you’ve got a brain somewhere?

  16. NKL 8 August 2010 at 5:18 pm #

    I woke up this morning (8/8/10) to $175 removed from my PayPal account, in the course of five transactions, over several hours, the last transaction WHILE I was on the phone with PayPal, trying to figure out what was going on! What was odd, is the charges were coming through a “billing agreement” PayPal said I agreed to with iTunes over four years ago, in 2006. If I did, it obviously hadn’t been in effect, because any of the legitimate purchases I have made with iTunes over the past several years had been billed to my credit card on file with Apple, not via PayPal. I have confirmed this by looking at previous iTunes credit card statements.

    This morning was the first time a transaction for an iTunes purchase showed up as coming directly out of my PayPal account in years and years! PayPal was able to sever my PayPal account from any ties to my Apple account on that 2006 agreement and the charges immediately stopped, but not before one last final charge for $40 came through, one minute before the PayPal rep canceled everything!

    $175 wiped out of my PayPal account within just a couple of hours. I shudder to think what would have happened had I not noticed it when I did! PayPal was helpful in stopping more charges from coming through, and they said I could dispute the charges with Apple, but they say it’s up to Apple to refund me and Apple is giving me customer NO-service! So looks like I may be screwed.

    My iTunes account doesn’t even reflect any recent charges (I took a screen shot as proof about 6 hours after the charges stopped), so I don’t even have any idea what the charges were for. Only Apple would know that I guess. But, PayPal CAN confirm that the charges ARE from the Apple iTunes store.

    I am livid! Looks like whoever was draining credit card accounts last month has moved on to old PayPal agreement (I found several people who have had this happen to them in the exact same manner in the last 24 hours….multiple $40-ish charges within about 30 minutes of each other, until they were able to call PayPal and stop it!

    And, no, I don’t feel I was remiss in any way with my log in information! I live with just me and my husband (no kids) and he is computer illiterate, would not even know how to turn on a computer, much less charge something to iTunes. I am diligent about account security and passwords. All of my passwords are randomly generated by my password program and make absolutely no sense and would be extremely hard to “crack.” I don’t type them into any place. I log in using my password program, so no key logging going on. I have used Mac systems (not PC) since 1985 and I have never been “hacked” or had passwords stolen in all that time. I am not buying that this is in ANY WAY through any fault of MINE!

    I am an online retailer myself, and it is my legal obligation to keep my customers billing information safe from misuse or any type of security breach, or I can be fined and made to pay restitution, so how can Apple get away with not making the people this is happening to whole again!

  17. NKL 8 August 2010 at 5:28 pm #

    Oh, and I forgot to mention. I have been absolutely obsessed with this whole mess today and have run across several other people, in various forums, who have had the same thing happen to them in the last 48 hours, in exactly the same manner.

    Even though they had current credit cards with iTunes as their billing method, which had been used for years by Apple. All of the sudden, in the last couple of days charges were being racked up against their PayPal accounts from iTunes on OLD billing agreements that they didn’t even remember they ever agreed to such a long time ago. Many, like me, couldn’t even see such active billing agreements in their PayPal account records to even cancel them if they wanted. I had other billing agreements show up in my PayPal account, going all the way back to 2004, that showed as long canceled, as I purposely canceled any such agreements on my PP account with third parties all at one time several years ago. Nothing in my account that said iTunes, although the PP rep assured me these were being charged through one on file with them from 2006 and the charges quit after she canceled it on her end. Same scenario for others I have run across today.

    Several people had their PayPal accounts drained, and then the charges went to their “backup funding sources” on file with PayPal, like credit card and bank accounts. Now they have three parties involved to try to get this straightened out with! And many had much more drained than I did before I noticed it happening and stopped it. Some lost $1000’s.

    Are you kidding me that we were ALL remiss in letting our personal log in information out to a third party…none of us know each other…and all of us weren’t even having our CC on file with iTunes charged for these purchases within the last few days (like we would normally do if we purchased something on iTunes), but, rather, old billing agreements that went directly through PayPal from iTunes. BS…this is more than a shear coincidence. I smell class action if Apple doesn’t refund people the money they are out and put a stop to whatever is going on that allows this to happen.

    My purchase history on iTunes is generally 99¢ or so every month at most, then all of the sudden there are a serious of $40-something charges, one right after the other in iTunes in the same day, with no record of the purchases in my iTunes account? WTH?

  18. Apple: 400 iTunes Accounts Hacked (PC World) : Online Surveys Tips and Information

    [...] one of the developers who first reported the App Store problems with the Vietnamese developer, is suspicious of Apple’s claims. After his calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach [...]

  19. BRADBAMASSISK 30 August 2010 at 8:30 am #

    I’m fine and you


Leave a Reply