Mystery surrounds iTunes/PayPal web scam

iTunes and PayPal
Here’s the story so far.

On Monday, TechCrunch reported that there appeared to be a “major security hole” in iTunes accounts which were linked to PayPal. Affected users began to report that somehow unauthorised charges had appeared on their PayPal accounts associated with iTunes purchases – with some reporting they had found themselves out of pocket to the tune of $1000.

Some resorted to posting on Facebook about the theft from their PayPal account:

iTunes/PayPal web scam victims on Facebook

on Twitter:

iTunes/PayPal web scam victim on Twitter

and on Apple’s online support forum:

iTunes/PayPal web scam victim on Apple support forum

Initially there was much speculation that either iTunes or PayPal had suffered a security breach. PayPal declined to comment, beyond saying that they were reimbursing unauthorised charges and advising victims to contact Apple if they had further questions.

Apple, for their part, shed no further light on the situation:

"We're always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes, you should contact your financial institution about charge backs for any unauthorized purchases, and be sure to change your iTunes password right away."

The simplest explanation for the charges would be that the account holders have had their credentials phished – either via a scam email or spyware. But many of the affected users are adamant that they have not carelessly given their iTunes password to others.

Another possibility, punted by Charles Arthur at The Guardian, is that victims of this scam may have been using the same username/password combination on other websites (a security problem I’ve discussed in the past), and that these have landed in the laps of opportunistic hackers.

But, to be honest, at the moment we simply don’t know what connects the victims of the scam other than they had iTunes accounts associated with PayPal. Apple may be able to tell more about what links the victims (if anything), and the fraudulent purchases which they appear to have made, but they’re not talking about it.

So, in the meantime, my advice is that you ensure that you have chosen a secure, non-dictionary word as your iTunes password that you never share with any other person or website.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

In addition, it may make sense to use a gift card for your iTunes purchases rather than link it directly to a PayPal or other credit card – at least that way you can limit any potential losses.

Furthermore, just as with your bank account – you should keep a close eye on your iTunes and PayPal purchases to see if there is any unusual behaviour.

And even if this assault on users’ accounts wasn’t the result of a phishing campaign, always be on the lookout for fraudulent emails and websites which try and steal your login details.