Chinese auction site sells thousands of stolen iTunes accounts

Chinese auction site sells thousands of stolen iTunes accounts

iTunes and Taobao50,000 stolen iTunes accounts linked to stolen credit cards are being sold on a Chinese auction site, according to a report from the BBC.

Listings on TaoBao, the Chinese equivalent of eBay, are promising access to iTunes downloads for between 1 yuan ($0.15) and 200 yuan ($30).

However, customers are advised that they are likely to only have about 12 hours to download apps, movies, games and music from the online store before their accounts are suspended.

A reporter with the Global Times, who discovered the activity on Taobao, paid $5 for an iTunes username and password. When accessing the account they found that it contained credit card details and the address of a user based in the United States.

What isn’t entirely clear is whether fraudulent accounts have been set up with stolen credit card details, or whether these are existing iTunes accounts that have been seized by cybercriminals – perhaps after login details have been stolen through phishing attacks.

Certainly it’s not the first time that users have experienced problems with their iTunes accounts. Last year, many iTunes users reported that they had received unauthorised charges of up to $1000 after an apparent security breach.

Regardless of precisely how the cybercriminals selling access to the iTunes accounts managed to gain control over them, my advice is that you ensure that you have chosen a secure, non-dictionary word as your iTunes password that you never share with any other person or website.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Furthermore, just as with your bank account – you should keep a close eye on your account and the purchases linked to it to see if there is any unusual behaviour.

And even if this assault on users’ accounts wasn’t the result of a phishing campaign, always be on the lookout for fraudulent emails and websites which try and steal your login details. The phishers aren’t just after your banking details – they can make money out of other online accounts too.