Back on November 28, 2010, a user named stereocourier started a thread on Apple’s support forums. The poster claimed that-without his knowledge or consent-someone spent more than $50 of his iTunes Store credit on iPhone apps. The user had no credit card linked to his account; all the mysterious purchases drew from his store credit. Oh, and stereocourier also noted that various personal details were changed on his account; specifically, his home address was replaced with an address that he didn’t recognize in Towson, Maryland.
As of this writing, that discussion thread has since swelled to more than 45 pages, with nearly 700 posts. Someone-or some group of someones-seems to be able to spend iTunes gift card credit without permission, buying apps that users don’t want. And whoever’s doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.
This is a mystery story, but it’s not a great one. A great mystery generally involves a detective who gathers the evidence, performs an investigation, and finally issues the spectacular reveal: the motive, the guilty party, and-if all goes well-the punishment. In the mystery of the Towson Hack, unfortunately, we’ve got a crime, evidence, and a motive, but no justice, and no real resolution. Consider yourself warned.
In the days and months after stereocourier’s initial forum post at Apple’s site, numerous other users shared similar stories of iTunes Store credit going missing, with receipts arriving that detailed purchases the affected users hadn’t made-$42, $20, $35, $10; no amount of store credit was too small to swipe. In case after case, when the affected customers reached out, Apple customer service representatives agreed to refund the store credit just this once, but acknowledged no wrongdoing or iTunes hacking of any kind.
And, in case after case, the affected users’ addresses were changed to Towson, Maryland. By January 2011, however, it seems that either the attackers got smarter, or other hackers caught on to their process. By that time,
towson md itunes was a Google suggestion that led to many Web posts from folks detailing similar stories of iTunes store credit gone missing-a trend that continues today. So come January, though the key theft at the heart of the Towson Hack remained constant, some customers started reporting that their store credit went missing even though their iTunes account information went mostly unmolested. Many users also started to report that their credit cards were unlinked from their iTunes accounts at the same time their store credit funds were depleted.
Many customers whose store credit was stolen noted that the purchases centered on a handful of apps from specific developers. One of those developers was “gao jing,” the name behind apps like Expert Guide for Black Ops, Cheats Guide for Black Ops, Weapons Guide for Black Ops, and Game Guide for New Vegas. Notably, none of those apps remain in the App Store as of this writing; however, Apple declined to comment on the reason for their removal from the store. Other customers noted that the purchased apps on their accounts were all from other developers, including “Hongbin Suo,” “lane ma,” “Yang Yun,” “KAMAGAMES,” and “Lakoo.” Many of the purchased apps, or the companies behind them, appeared to be Chinese in origin.
Bob Seifert lives in Wisconsin, and his story is a typical one. “Early in the morning on August 12,” he told Macworld, “I had gotten an email stating that my account was used to purchase [the free app] Instagram” from a device not previously linked to his account. “Shortly after that, I got another email, stating that another free app was purchased-a Chinese one, this time. And then, they made an in-app purchase through that app of $19.99 for some in-game currency of some sort.”
Seifert had never heard of the game before, and says he didn’t download it or make the in-app purchase. When asked if he had ever potentially typed his iTunes password into a Web form, perhaps succumbing to a phishing attack, he replied emphatically: “No, absolutely not. I actually work in the IT department at a large company, and I’m well aware of phishing. I’m closely related to the Information Security group here [at work], and I use overly-complicated passwords for all my stuff.” The rogue purchase on Seifert’s account all but drained what was left of a $25 gift card he’d only keyed in “two to three weeks before the hack.” Interestingly, though Seifert also received an email from Apple confirming that he’d made a change to the billing address on his account, he still saw the correct address (and not Towson) when he logged in.
As is typical of the retellings on the forum thread, Seifert contacted Apple and Apple eventually refunded the purchases-but the company acknowledged no larger issue, and said that the refund was a one-time courtesy. Nor has Apple provided any formal statement on the Towson Hack-not in emails to customers that Macworld could locate, not on its site, and not anywhere else.
The Sega Segue
One theory that several victims put forth on Apple’s forum was that the Towson Hack was really devised by rogue developers, who have created largely bogus apps and then used other customers’ gift credit to purchase those apps-scoring ill-earned cash in the process.
Some folks found that their stolen gift credit didn’t go towards the purchase of unwanted Chinese apps, though. Starting in late April, some customers found that instead their funds were making in-app purchases for a game from Sega called KingdomConquest. It certainly seems unlikely that a large corporation like Sega would intentionally involve itself in malicious behavior like the Towson Hack, suggesting that perhaps something was going on beyond just racking up sales of bogus apps.
Customers who fell victim to the KingdomConquest variant of the Towson Hack didn’t own the original app, and certainly never went into the game to make in-app purchases with their store credit. Somehow, hackers were able to “buy” the free app on victims’ iTunes accounts, and then trigger the in-app purchases.
In its own forum, Sega posted this message:
We are currently investigating this claim as well as some others, but since we have no access to any customers’ iTunes account information or transaction histories we highly recommend contacting Apple directly. Allow me to state very clearly that Sega and ‘Kingdom Conquest’ are not acting maliciously in any way.
A spokeswoman for Sega exchanged emails with Macworld, but declined to comment on the matter beyond the above forum post.
While the modus operandi stays the same, it seems clear that the KingdomConquest variant of the Towson Hack comes with a different motivation. One plausible explanation: Hackers familiar with the technique are selling access to hacked iTunes accounts with store credit to burn. Perhaps if you’re willing to pay a hacker $10, he’ll give you access to a hacked account with $50 of credit-and perhaps Sega’s game proves quite popular with folks willing to make that deal. Without further comment from Apple or Sega, however, it’s hard to say definitively. Such a scenario does seem to mark the easiest explanation of why Sega’s popular game got involved in this mess.
Next: Towson and Beyond
Leave a reply