Missing iTunes Store Credit? Thank the Towson Hack [Scams]


iTunes downloads have fallen on hard times. Except for the App Store, of course. Photo: Apple
iTunes downloads have fallen on hard times. Except for the App Store, of course. Photo: Apple

An article on Macworld today sheds some light on the Towson Hack — a mysterious scam involving stolen iTunes store credit dating back to November of last year.

Macworld highlights a trafficked thread on the Apple support forums that tells story after story of stolen iTunes gift card credit, initially relating to a changed billing address to Towson, Maryland.

The mysterious scam has a long history with many variables at play, and what’s most disturbing is that the Towson hack is still in effect today. That’s right, after nearly a year, Apple hasn’t been able to stop an exploit that could very well be the most advanced iTunes hack in history.

If you recall, back in January, a huge scandal was uncovered involving the illegal selling of 50,000+ hacked iTunes accounts in China. While that story was huge in terms of exposing iTunes’ vulnerabilities, the Towson Hack is even more devious. Why? Because no one knows how it really works.

Macworld sets the stage, quoting the first story of a now 700+ post Apple support thread:

“The poster claimed that—without his knowledge or consent—someone spent more than $50 of his iTunes Store credit on iPhone apps. The user had no credit card linked to his account; all the mysterious purchases drew from his store credit. Oh, and stereocourier also noted that various personal details were changed on his account; specifically, his home address was replaced with an address that he didn’t recognize in Towson, Maryland.”

That sort of activity has continued since November of last year, with the Towson, Maryland address suddenly changing to other random locations throughout the country in January of 2011.

Essentially, iTunes customers would notice that their iTunes store credit had been used without their permission on apps they had never heard of, many of which turned out to be submitted to the App Store from China. The purchased apps ended up being traced back to a small handful of developers, but the Towson hack has still remained anonymous in origin.

The evidence pointed towards a small group of developers/hackers responsible for the Towson Hack. By creating bogus, filler apps that are largely untraceable, the hackers somehow get access to iTunes credit and rack up purchases of their own apps. By only using iTunes gift card credit, you stay out of the credit card company’s microscope, and you end up flying under Apple’s radar, too. Brilliant.

iTunes credit would also be drained with in-app purchases from obscure apps. Many in-app purchases were actually coming from Sega’s KingdomConquest app. Would a large company like Sega be involved in such a scandal? Macworld doesn’t think so:

“While the modus operandi stays the same, it seems clear that the KingdomConquest variant of the Towson Hack comes with a different motivation. One plausible explanation: Hackers familiar with the technique are selling access to hacked iTunes accounts with store credit to burn. Perhaps if you’re willing to pay a hacker $10, he’ll give you access to a hacked account with $50 of credit—and perhaps Sega’s game proves quite popular with folks willing to make that deal.”

While Apple has refunded multiple victims of the Towson Hack, the Cupertino company has yet to offer a real statement on how, or why, the scam has continued to exploit iTunes customers for nearly a year.

A scary re-telling of the Towson hack in action involves Craig Williams having $100 charged to his Paypal account after having his iTunes credit compromised. Another story shows how insidious the Towson hack can be, with Anne Robson requesting that Apple lock her iTunes account until further investigation. Upon doing so, more money was taken out. Once an account is locked, it should be technically impossible to touch the account’s funds in any way.

“Robson’s case might indicate that the ne’er-do-wells behind the Towson Hack somehow muck with iTunes accounts via methods so insidious that they bypass Apple’s blocks. Or, her case might simply be a fluke—an erroneously-applied block or an outlier.”

Whatever the reason may be for the Towson hack’s continued effectiveness against iTunes customers, Apple needs to address the issue pronto. This is just downright bad.

Are you a victim of the Towson hack?

  • fbloise

    I bet somebody from the hacking community (aka Installus) has something to do with that.

    I still can’t explain how some people got apps fresh from the oven, sometimes apps that cost more than $10 without profiting… I always though they use stolen credit cards or something… this sound more plausible: hacking into people’s account and stealing the credit.

  • EmmEff

    I was a victim of the Towson Hack last December.  I lost about $60 of credit, of which was almost immediately replaced by Apple when I drew their attention to it.  I haven’t had problems since after changing my Apple Store password.

  • El Migas

    i was! someone used 100$ off my account literally a day after i had added it! used it to buy a couple million dollars worth of poker chips :/ same thing but my city got changed to arkansas!

  • Michael J Davis

    This happened to me about 3 weeks ago and I had no clue what had happened. Now I do. I want my money back!!

  • CharliK

    That is likely a key factor in the hack. Bad passwords. it really wouldn’t be that hard to set up a system to run a dictionary at a list of email addresses from say gmail, aol, yahoo etc. you could likely get a ton that way. THen you run another program that can log in and see if there’s store credit on the account. log in and use them up real fast. 

    I have friends that do all kinds of dumb things like use the same email on twitter, Facebook, and iTunes. and they think they are being really clever with their passwords but then their security question is ‘name of my dog’ and they talk about said dog all the time on their social sites so it’s easy to figure out that the answer is Sir Fluffy the Sixth. that might get them a bunch more. As would those Facebook scam apps

  • CharliK

    Well with the group from China they were gaming to get more sales as a way to wash part of the money via their 70% cut of the sales. Plus with luck they would get on the top charts for a bit and folks would buy the apps because they must be good if so many folks are buying them. 

  • Blake Beavers

    This happened to me last year. Thank god Apple refunded me.

  • Tim

    A very old iTunes account that I haven’t used for purchasing in at least 3 years got hacked last week. Luckily the CC that was associated with it was no longer valid – but whoever hacked into it managed to buy at east $35 worth of apps regardless.

    They changed the account address country-code to China and bought a raft of Chinese apps.

    My first suspicions were that I had a windows VM with an iTunes library that needed to be authorised to the old account – maybe it got infected with a keylogger ?