iTunes App Store hit by developer and account fraud

Posted:
in iPod + iTunes + AppleTV edited January 2014
Apple's iTunes Store users are increasingly being targeted in a number of fraud cases, some of which appear to be orchestrated by iOS app developers seeking to boost their sales rankings, and others which appear to be a widespread hack of user accounts.



While the billions of songs and apps being sold in the iTunes Store to millions of account holders are certain to bring with it a certain amount of fraudulent purchase reports, a new wave of very suspicious app purchases appear to have boosted the sales of a single App Store developer to an overwhelming 40 spots of the top fifty apps in the books category.



The books in question are a low-quality series of mostly Japanese manga titles all published by "developer" Thuat Nguyen, whose publishing company is listed by Apple as "mycompany" with a website of "Home.com." It's impossibly unlikely that 80% of the American App Store's book sales were legitimately dominated by sales of shoddy anime book apps that are not localized, appear to violate intellectual property rights, and were all dumped into the App Store at once over a period of a couple days.



Even more worrying is that sales of the junk apps are being reported by multiple users in iTunes as fraud activity. User ratings on the titles frequently complain about having discovered the purchase as part of fraud activity on their accounts. A flurry of positive reviews say simple things like, "it's great" and "good, this story is very interesting," creating the appearance that they have been added by the same group behind the fraud sales.



The fraudulent book sales are not just overwhelming the App Store charts with junk; they're also pushing legitimate titles by real developers out of the view of shoppers, devaluing the iTunes Store in the minds of users, and eroding Apple's position that the App Store is a carefully curated marketplace that doesn't suffer from the junkware bloat and intellectual property fraud of Google's Android Market.









iTunes accounts being hacked



In addition to listings fraud aimed at promoting the sales of specific junkware developers, it also appears that Apple's iTunes accounts are widely being compromised by organized attacks based in China, where crackers obtain the account information of legitimate users and resell access to the accounts to buyers who pay a few dollars in exchange for information that allows them to make fraud purchases of several hundred dollars before the account's card is turned off.



Last month, a user posted a forum comment stating, "I am going to tell you the truth about what has been going on with your account." The anonymous user then explained, "let?s say you are a Chinese guy or girl with an iPhone or iPad and you want to get some music, movie or app. How you do you do it? You go to http://www.taobao.com: The (by far) largest online market in the world and type iTunes in the search bar. Immediately you will be presented with a list of more than 7,000 items.



"You want to save money, so you filter the list to show only items under RMB25.00- (US $3.60) and still you have more than 3,600 offers. So you pick some one at random like, as an example, this one: http://item.taobao.com/item.htm?id=5516054242. You open the online chat and you transfer him RMB22.00 (US $3.20). He ask you in the online chat to provide a new iTunes account name and password, and you comply: User: [email protected] Password: qwer34567



"He asks you to wait 10 minutes online. He has already a number of user accounts under surveillance, so he enters in the iTunes account of his victim, change his/her username and password to the one you provided, and come back to ask you try it and approve the transaction so Taobao.com releases his money. Even if you cant read Chinese you can see very clearly in his item description that this account will not last more than 24 hours (the time for his victim to see the charges mounting and then cancel the credit card).



"He claims that he selects 'his' accounts so you can drain at least US $250.00 from them before they get cancelled. He urges you to be fast and buy and download as fast as you can. Start immediately! Keep the download going on for the full 24 hours! There is no warranties on how long it will last! Because he already changed the username and password, the victim can?t stop you.



"There are cheaper ways, of course! You can join a 'frenzy feeding,' where the same hijacked account is sold to several customers. It is much slower and, because it was 'opened' maybe hours ago, it will be much shorter lived. It can be had for RMB1.00 to RMB5.00 (US $0.14 to US $0.74). The most important thing, however, is to BUY fast not to download fast. You can download at leisure during the next weeks. iTunes will not stop you: It will only remind you that your (victim?s) credit card is not working and invite you to update your payment details.



"Then, if you want more applications later on, you just enter in Taobao.com and get again a new account in a few minutes. This is the sad reality. There are a lot of of things Apple could do to stop this, like canceling the hijacked accounts and de-authorizing its computers, making the whole process useless. But for what? This is not a problem for Apple: It is a problem for the credit card industry. The account is right, the payment is right, end of the story. If you claim that someone used your credit card to buy things it is a problem between you and your bank, not between you and Apple!



"Please note that when you are buying like crazy with 'your' new account Apple doesn?t bill directly to the credit card every time you add an item: It bills in batches of around (below) US $50. This is another detail that shows how cunning they are! You buy, buy, and buy. And every time your reach 40-something dollars Apple invoices the card. If it pass, you can keep buying. If not, it stops you from buying more.



"This achieves two things: One, it limits the damage to Apple as they only can get hooked for, at most, US $50. Two, makes the whole system safer for them, as purchases under US $50 are not protected in the States law. And it is funny that if that last transaction doesn?t go through, then is when the rage of Apple comes over you for any item you may have already download before the invoicing point was reached.



"Apple will put a flag on your account and will not allow you to download updates for any of the apps on 'your' account (whatever order they came from) or download the pending episodes of 'your' season passes). In this case, you have no option but to go to Taobao.com and use another procedure.



"There are people (the same people) who saves you time by doing in advance the whole process of providing the user, etc. They?ve already 'opened' an account and used it to purchase one or two US $50.00 gift certificates. You get one (US $1.40) and use it to cover the debt with Apple so they can let you enjoy peacefully the items you 'own.'"



Apple monitoring fraud



Out of the billions of transactions handled by iTunes, it's not surprising that there is considerable fraudulent activity occuring. However, the apparently unchecked fraud being orchestrated on such a wide scale, combined with Apple's very slow response in handling extremely suspicious sales that dramatically distort sales rank as noted in the initial example, shed a very questionable light on Apple's assertion that iTunes is a carefully curated marketplace.



It also calls into question why the company works so hard to carefully review developer titles in some areas while at the same time allowing large amounts of very low quality junkware to be listed by obviously illegitimate "companies" with fake contact information.



(Update: A report by App Store developer Alex Brie on the situation indicates App Store developers have been contacted by Apple's Worldwide Product Marketing senior vice president Phil Schiller, and an investigation is now underway.)
«134

Comments

  • Reply 1 of 71
    prof. peabodyprof. peabody Posts: 2,860member
    Quote:
    Originally Posted by AppleInsider View Post


    ... The books in question are a low-quality series of mostly Japanese manga titles all published by "developer" Thuat Nguyen, ...



    I wish Apple would just stop the entire practice of selling "apps" the are actually books. There already exist multiple online bookstores for those that have the legal rights to publish a book and the "books" apps just junk up the store.



    I'm an artist, and could easily steal some old out of copyright work and jazz up a few illustrations and a cover for it and sell it on the app store. I don't do that though, because it's wrong, (legal though it might be). These kind of apps add nothing and are a blight on the app store for the most part.
  • Reply 2 of 71
    This is definitely an alarming issue that needs more widespread attention. I don't usually expect AppleInsider to be so critical on Apple, but it's good that this report is thorough and concerned about Apple's slow response.



    In terms of people who've used fake or stolen accounts to purchase apps, can Apple's app kill switch be used to deactivate those applications on those user's next iTunes sync? Or is the app kill switch a more blunt instrument that can only to be used to kill an app for all users across the whole App Store rather than just those users who have participated in fraud? Although, Apple needs to be very careful in using this of course, since the media attention on false positives would be even worse than the fraudulent activity going on right now.
  • Reply 3 of 71
    a_greera_greer Posts: 4,594member
    Quote:
    Originally Posted by Prof. Peabody View Post


    I wish Apple would just stop the entire practice of selling "apps" the are actually books. There already exist multiple online bookstores for those that have the legal rights to publish a book and the "books" apps just junk up the store.



    I'm an artist, and could easily steal some old out of copyright work and jazz up a few illustrations and a cover for it and sell it on the app store. I don't do that though, because it's wrong, (legal though it might be). These kind of apps add nothing and are a blight on the app store for the most part.



    I agree for the most part, however, I would caution that some book apps are really good, I dont have nor want kids, but I have seen some apps in use that do things that Kindle, ibooks and the like do not, things like animated illustrations, or read along features where kids who are just learning to read can have each word highlighted as it is played via a recording of a friendly sounding professional reader, not a robo voice like the Kindle offers for some books.



    What needs to happen is there needs to be media apis available to i Books, have three book cases, traditional books, PDFs, and interactive material. This would be great for digital textbook supplemental materials as well. With DVD Studio Pro and Motion laying around, Apple has all the tools to build an awesome content creation experience for interactive books, just mix and match the best of those video features with what Apple has learned from Pages and Keynote and make an application for Mac that does content design for iBooks, and allow other third party reputable resellers like amazon, or barns and noble to do book apps...problem solved.
  • Reply 4 of 71
    daveswdavesw Posts: 406member
    Hope Apple files charges against this idiot developer.





    Also i don't think he will ever be in ANY app store. his credibility and reputation is now in the shitter.
  • Reply 5 of 71
    foadfoad Posts: 697member
    It seems as though Apple has removed the books in question and now the top books are where there were before.
  • Reply 6 of 71
    quadra 610quadra 610 Posts: 6,743member
    The reports are way overblown.
  • Reply 7 of 71
    daharderdaharder Posts: 1,580member
    "It Just Works"...
  • Reply 8 of 71
    sheffsheff Posts: 1,407member
    I guess the great firewall only works one way. Looks like Chinese government is good at keeping people away from "porn" but not very good at keeping people away from stealing money from people in other countries.



    Anyway, those "buyers" could have just as easily jail broken their devices and stolen apps without having to rip paying itunes account holders off. Will be interesting to see what apple does about this.
  • Reply 9 of 71
    sensisensi Posts: 346member
    Quote:
    Originally Posted by davesw View Post


    Hope Apple files charges against this idiot developer.





    Also i don't think he will ever be in ANY app store. his credibility and reputation is now in the shitter.



    Lol, the guy in question must not even exists... Must be a group of counterfeiters and freelance hackers helping them to sell illegal copyrighted works... As always the shop company -whatever it is Ebay selling "genuine" Chanel bags or there Apple- taking their percentage on the fraud.
  • Reply 10 of 71
    colinhcolinh Posts: 15member
    Quote:
    Originally Posted by AppleInsider View Post


    ... devaluing the iTunes Store in the minds of users, and eroding Apple's position that the App Store is a carefully curated marketplace that doesn't suffer from the junkware bloat and intellectual property fraud of Google's Android Market.





    Ummm, I already think that the App Store is full of junkware. Maybe they could introduce finer subdivisions? Like:



    Entertainment:
    Farting apps
    List apps
    Lists of jokes
    Lists of stupid things to say
    Lists of chat-up lines
    Utilities:
    Tip calculators
    Apps to multiply a number by 0.1
    Apps to multiply a number by 0.15
  • Reply 11 of 71
    shobizshobiz Posts: 207member
    Let's not forget -



    'Apps to generate revenue, but have no real purpose beyond a 60 second novelty'
  • Reply 12 of 71
    nasseraenasserae Posts: 3,153member
    Quote:
    Originally Posted by Sensi View Post


    Lol, the guy in question must not even exists... Must be a group of counterfeiters and freelance hackers helping them to sell illegal copyrighted works... As always the shop company -whatever it is Ebay selling "genuine" Chanel bags or there Apple- taking their percentage on the fraud.



    Selling paid apps in the app store is not as easy as you think. Developers are required to supply real bank account numbers. Apple take the time to verify the information, sometimes weeks, before a developer can sell paid apps in the app store.



    Beside the money from apps will take 30 days from the close of the billing period to be released to the developer. For example, money from this month sales will reach developers on or after August 1st. This gives Apple advantage in case something like this happens.
  • Reply 13 of 71
    nasseraenasserae Posts: 3,153member
    Quote:
    Originally Posted by colinh View Post


    Ummm, I already think that the App Store is full of junkware. Maybe they could introduce finer subdivisions? Like:



    Entertainment:
    Farting apps
    List apps
    Lists of jokes
    Lists of stupid things to say
    Lists of chat-up lines
    Utilities:
    Tip calculators
    Apps to multiply a number by 0.1
    Apps to multiply a number by 0.15



    When Apple first rejected fart apps all hell broke and Apple was called control freak.
  • Reply 14 of 71
    hdang221hdang221 Posts: 5member
    all i can say i was a victim of fraud through apple iTunes. someone stole my acct info and downloaded nearly $500 worth of apps/music. i contacted apple and surprisingly they NO CUSTOMER SERVICE for itunes related fraud activities. i spoke to some guy who was handling laptop issues. he was very polite and helpful but unfortunately i was told apple does not credit or give your money back due to fraudulent activities. I'm like WTF?!?!?! my bank did their own investigation and credited my account. no thanks to apple.



    unless apple does something to make iTunes more secure i am not buying another single thing off that app.



    i highly recommend anyone who has their CC info stored on that app to delete it or use gift certificates. iTunes is NOT a secure downloading app by any means.
  • Reply 15 of 71
    hdang221hdang221 Posts: 5member
    and thank you for writing this article. this is a serious issue since i was a victim and apple honestly did ABSOLUTELY NOTHING about my problem except turn off my account. i also filed a complaint with the consumer protection org. FTC.



    this is a huge security issue which they won't admit or anyone has really made public. great article.
  • Reply 16 of 71
    nasseraenasserae Posts: 3,153member
    Quote:
    Originally Posted by hdang221 View Post


    all i can say i was a victim of fraud through apple iTunes. someone stole my acct info and downloaded nearly $500 worth of apps/music. i contacted apple and surprisingly they NO CUSTOMER SERVICE for itunes related fraud activities. i spoke to some guy who was handling laptop issues. he was very polite and helpful but unfortunately i was told apple does not credit or give your money back due to fraudulent activities. I'm like WTF?!?!?! my bank did their own investigation and credited my account. no thanks to apple.



    unless apple does something to make iTunes more secure i am not buying another single thing off that app.



    i highly recommend anyone who has their CC info stored on that app to delete it or use gift certificates. iTunes is NOT a secure downloading app by any means.



    No one will because it is your bank job to do so. I left my Visa debit card at a restuerant once and came back the next morning and picked it up. Few months later my card was used to buy software online for more than $300. I called the bank and they put the money back into my account and issued me new card. I didn't even bother calling the software seller.
  • Reply 17 of 71
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by hdang221 View Post


    he was very polite and helpful but unfortunately i was told apple does not credit or give your money back due to fraudulent activities.



    Sure they do (give your money back), but the type of activity can limit what they can do. Their Support area is through your iTunes account. You can check your history and report a problem. I've used it several times over the years with great success.



    Once I was gifting a TV Show and it kept timing out on the purchase. I kept trying until it went through. My card was later charge for multiple attempts even though the recipient only received once email for the gift. Apple refunded all my money, not just all but one sale, they also credited my account with several free TV shows (these could not be used with other types of iTS media, not eve HD TV Shows). That was better than I expected.



    The great thing about CCs today is there is an inherent protection. Personally, I do all internet purchases from a low value CC just in case it does get stolen. I know I'll get it back but I also won't be inconvenienced by it. I simply pay it off the day I buy something, but that does mean my CC company has my bank info, so it's not a full proof plan, because they could get hacked.
  • Reply 18 of 71
    vrkiranvrkiran Posts: 110member
    with both the victims and Apple. As an e-commerce vendor, it's like a Rock and Hard place. The whole e-commerce security should evolve to provide security to users. There have been so many proposals such as single use credit card numbers (a.k.a online gift cards issued by Visa etc.,) but somehow the banks have not taken much initiative there.



    Problems like this are not limited to Apple. Apple can do it better, so can Amazon, eBay and other major e-businesses. eBay users (including me) go through so many such fraudulent activities that it feels like a quagmire to buy and sell stuff there.
  • Reply 19 of 71
    i really don't know how u got your money back.. when i was told the charges cannot be reversed..



    here's the response i got back from apple. and it clearly does not state any compensation, crediting, etc.. so its up to you and your bank in the end. my point is iTunes has serious security issues if someone is hacking your acct and actually getting your CC etc..







    Hello Huy,



    Curtis here, from the iTunes Store. I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge. I can certainly understand how eager you must be to have this looked into and I would be happy to do all I can to help.



    Huy, to prevent further purchasing, I have disabled your account and banned the credit card on file from making purchases on the iTunes Store. Please note that your iTunes account can be enabled in the future by providing specific information to iTunes Store support.



    I urge you to contact your credit, debit, or payment card issuer as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. The iTunes Store cannot reverse the charges.



    In the meantime, I strongly recommend you change your account password immediately. Changing the password will help to prevent anyone else from using your iTunes Store account to place orders without your knowledge. To increase the security of your account, choose a password that has at least eight digits and includes both letters and numbers. You can change your password using this website:



    http://iforgot.apple.com



    If you wish, you can also delete your payment information from the iTunes Store as follows:



    1) Make sure you're using the latest version of iTunes. It can be downloaded free of charge from the iTunes website:



    http://www.itunes.com/download



    Note: Installing the latest version of iTunes will not affect your library or any items in your account that you haven't downloaded.



    2) To open iTunes and go to your Apple Account Information page, click this link:



    http://phobos.apple.com/accountSummary



    3) Enter your iTunes Store account name and password, then click Account Info.



    4) On the Apple Account Information page, click the Edit Payment Information button.



    5) Select None from the list of credit card types. This will delete your billing information.



    6) Be sure to click the Done button at the bottom of the page to save your changes.



    If you suspect you are the victim of identity theft, consider following these recommendations:



    - Contact the fraud departments of any consumer reporting company to place a fraud alert on your credit report.



    - Close the accounts that you believe have been used without your knowledge.



    - File a complaint with the Federal Trade Commission (FTC). For more information, please visit:



    http://www.ftc.gov/idtheft



    I sincerely hope that you are able to resolve this matter with the help of your credit card company, as soon as possible, Huy. If your financial institution advises you that there's something more we can do from the iTunes Store Support side of things, I'll be happy to assist you further. Thank you for your patience and understanding.



    Best Wishes



    Curtis

    iTunes Store Customer Support

    My Hours are: Monday-Tuesday. OFF Wednesday 8:00AM-4:30PM, Thursday-Saturday 8:00AM-4:30PM
  • Reply 20 of 71
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by hdang221 View Post


    i really don't know how u got your money back.. when i was told the charges cannot be reversed..



    here's the response i got back from apple. and it clearly does not state any compensation, crediting, etc.. so its up to you and your bank in the end. my point is iTunes has serious security issues if someone is hacking your acct and actually getting your CC etc..



    Of course they can credit your card back. If they can take money from your card they negate those charges too. It's part of the system.



    It sounds like your credit card data itself was highjacked, not just your iTunes Store account. That means it's not Apple's responsibility, it's for your CC company to delete and to remove all funds. Whether that is what happened or not, it does seem like that is what Curtis thought. Note, my anecdote was about Apple refunding my charges, not needing to cancel a CC.
Sign In or Register to comment.