Over the weekend, news reports of “hacked” iTunes accounts used to purchase worthless apps surfaced.
And since there was no evidence nor report of an iTunes App Store data leak, it is most likely that individual iTunes user credentials were stolen via phishing attacks.
What’s interesting about this incident is it doesn’t involve any malicious app. Instead, it led to the sudden rise in rating of common, unpopular apps in Apple’s App Store because stolen iTunes accounts were used to purchase them.
This is interesting because cybercrime groups have now found a working business model in monetizing phished user accounts in Apple’s App Store. They’ve circumvented Apple’s “strict” app review process by submitting nonmalicious apps (doesn’t matter if the app is worthless) then used phished iTunes accounts to buy (and make money from) the worthless apps.
This is an interesting business model, by targeting user accounts, cybercriminals attacked the weakest link in the system (the user), only using Apple’s App Store as platform and the worthless apps as means to cash in on phished accounts.
May this incident serve as a glaring reminder on the importance of our online accounts, especially if our credit and/or debit cards are tied to them.