Missing iTunes Store Credit? Thank the Towson Hack [Scams]

By

iTunes downloads have fallen on hard times. Except for the App Store, of course. Photo: Apple
iTunes downloads have fallen on hard times. Except for the App Store, of course. Photo: Apple

An article on Macworld today sheds some light on the Towson Hack — a mysterious scam involving stolen iTunes store credit dating back to November of last year.

Macworld highlights a trafficked thread on the Apple support forums that tells story after story of stolen iTunes gift card credit, initially relating to a changed billing address to Towson, Maryland.

The mysterious scam has a long history with many variables at play, and what’s most disturbing is that the Towson hack is still in effect today. That’s right, after nearly a year, Apple hasn’t been able to stop an exploit that could very well be the most advanced iTunes hack in history.

If you recall, back in January, a huge scandal was uncovered involving the illegal selling of 50,000+ hacked iTunes accounts in China. While that story was huge in terms of exposing iTunes’ vulnerabilities, the Towson Hack is even more devious. Why? Because no one knows how it really works.

Macworld sets the stage, quoting the first story of a now 700+ post Apple support thread:

“The poster claimed that—without his knowledge or consent—someone spent more than $50 of his iTunes Store credit on iPhone apps. The user had no credit card linked to his account; all the mysterious purchases drew from his store credit. Oh, and stereocourier also noted that various personal details were changed on his account; specifically, his home address was replaced with an address that he didn’t recognize in Towson, Maryland.”

That sort of activity has continued since November of last year, with the Towson, Maryland address suddenly changing to other random locations throughout the country in January of 2011.

Essentially, iTunes customers would notice that their iTunes store credit had been used without their permission on apps they had never heard of, many of which turned out to be submitted to the App Store from China. The purchased apps ended up being traced back to a small handful of developers, but the Towson hack has still remained anonymous in origin.

The evidence pointed towards a small group of developers/hackers responsible for the Towson Hack. By creating bogus, filler apps that are largely untraceable, the hackers somehow get access to iTunes credit and rack up purchases of their own apps. By only using iTunes gift card credit, you stay out of the credit card company’s microscope, and you end up flying under Apple’s radar, too. Brilliant.

iTunes credit would also be drained with in-app purchases from obscure apps. Many in-app purchases were actually coming from Sega’s KingdomConquest app. Would a large company like Sega be involved in such a scandal? Macworld doesn’t think so:

“While the modus operandi stays the same, it seems clear that the KingdomConquest variant of the Towson Hack comes with a different motivation. One plausible explanation: Hackers familiar with the technique are selling access to hacked iTunes accounts with store credit to burn. Perhaps if you’re willing to pay a hacker $10, he’ll give you access to a hacked account with $50 of credit—and perhaps Sega’s game proves quite popular with folks willing to make that deal.”

While Apple has refunded multiple victims of the Towson Hack, the Cupertino company has yet to offer a real statement on how, or why, the scam has continued to exploit iTunes customers for nearly a year.

A scary re-telling of the Towson hack in action involves Craig Williams having $100 charged to his Paypal account after having his iTunes credit compromised. Another story shows how insidious the Towson hack can be, with Anne Robson requesting that Apple lock her iTunes account until further investigation. Upon doing so, more money was taken out. Once an account is locked, it should be technically impossible to touch the account’s funds in any way.

“Robson’s case might indicate that the ne’er-do-wells behind the Towson Hack somehow muck with iTunes accounts via methods so insidious that they bypass Apple’s blocks. Or, her case might simply be a fluke—an erroneously-applied block or an outlier.”

Whatever the reason may be for the Towson hack’s continued effectiveness against iTunes customers, Apple needs to address the issue pronto. This is just downright bad.

Are you a victim of the Towson hack?

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.