About 50,000 stolen iTunes accounts for sale on TaoBao offer as much as $200 in iTunes content for as little as $30. Image: CC FHKE/Flickr
Stolen iTunes accounts are being offered for sale on the largest online auction website in China. About 50,000 hacked iTunes accounts linked to active credit cards are being sold on TaoBao.com. Apple’s iTunes is the largest music store in the U.S. and 150 million iTunes users should check their iTunes accounts for unauthorized transactions.
The Chinese iTunes hack
Stolen iTunes accounts can net buyers up to $200 worth of music and movies for as little as $30, or about 200 yuan. Potential buyers are advised by TaoBao to spend the illegal iTunes accounts within 24 hours to get their money’s worth before the authorized users get wise to the Chinese iTunes hack. According to the Chinese newspaper Global Times, TaoBao, a Chinese knock-off of eBay, has been selling thousands of stolen iTunes accounts for several months. TaoBao claims not to be liable and said it can’t pull the illegal iTunes accounts without a “formal request” from Apple, which has not been made.
Inside a stolen iTunes account
In an investigation of the illegal iTunes accounts, Global Times bought one from a TaoBao merchant for $5. The newspaper was given a user name and password granting access to a hacked iTunes account including credit card numbers and a billing address in the U.S. It is likely that hackers broke into iTunes accounts with stolen credit cards or malware that steals user IDs and passwords. Last fall cybercriminals emailed the notorious “Zeus” package disguised as an iTunes receipt to trick their marks into launching the malware, which captures keystrokes when the user logs on to password-protected sites.
iTunes under siege by hackers
Stolen iTunes accounts sell like hotcakes in China because millions of Chinese don’t have credit cards, which are the only way to create a legitimate iTunes account. The rate of hacks on iTunes accounts has also been accelerating dramatically in the U.S. Cheap iTunes gift codes that expire in 24 hours can be found on many U.S. auction sites. Legitimate iTunes gift codes have no expiration date. When a Chinese hacker broke into Apple App Store accounts last year to improve the sales ranking of his ebooks, Apple started requiring a credit card CVV code to make a purchase. But that security measure does nothing to stop Zeus from doing his dirty work.
Sources
