iTunes App Store hit by developer and account fraud

While the billions of songs and apps being sold in the iTunes Store to millions of account holders are certain to bring with it a certain amount of fraudulent purchase reports, a new wave of very suspicious app purchases appear to have boosted the sales of a single App Store developer to an overwhelming 40 spots of the top fifty apps in the books category.

The books in question are a low-quality series of mostly Japanese manga titles all published by "developer" Thuat Nguyen, whose publishing company is listed by Apple as "mycompany" with a website of "Home.com." It's impossibly unlikely that 80% of the American App Store's book sales were legitimately dominated by sales of shoddy anime book apps that are not localized, appear to violate intellectual property rights, and were all dumped into the App Store at once over a period of a couple days.

Even more worrying is that sales of the junk apps are being reported by multiple users in iTunes as fraud activity. User ratings on the titles frequently complain about having discovered the purchase as part of fraud activity on their accounts. A flurry of positive reviews say simple things like, "it's great" and "good, this story is very interesting," creating the appearance that they have been added by the same group behind the fraud sales.

The fraudulent book sales are not just overwhelming the App Store charts with junk; they're also pushing legitimate titles by real developers out of the view of shoppers, devaluing the iTunes Store in the minds of users, and eroding Apple's position that the App Store is a carefully curated marketplace that doesn't suffer from the junkware bloat and intellectual property fraud of Google's Android Market.

iTunes accounts being hacked

In addition to listings fraud aimed at promoting the sales of specific junkware developers, it also appears that Apple's iTunes accounts are widely being compromised by organized attacks based in China, where crackers obtain the account information of legitimate users and resell access to the accounts to buyers who pay a few dollars in exchange for information that allows them to make fraud purchases of several hundred dollars before the account's card is turned off.

Last month, a user posted a forum comment stating, "I am going to tell you the truth about what has been going on with your account." The anonymous user then explained, "let’s say you are a Chinese guy or girl with an iPhone or iPad and you want to get some music, movie or app. How you do you do it? You go to http://www.taobao.com: The (by far) largest online market in the world and type iTunes in the search bar. Immediately you will be presented with a list of more than 7,000 items.

"You want to save money, so you filter the list to show only items under RMB25.00- (US $3.60) and still you have more than 3,600 offers. So you pick some one at random like, as an example, this one: http://item.taobao.com/item.htm?id=5516054242. You open the online chat and you transfer him RMB22.00 (US $3.20). He ask you in the online chat to provide a new iTunes account name and password, and you comply: User: qiuwge3foe3333@yahoo.com Password: qwer34567

"He asks you to wait 10 minutes online. He has already a number of user accounts under surveillance, so he enters in the iTunes account of his victim, change his/her username and password to the one you provided, and come back to ask you try it and approve the transaction so Taobao.com releases his money. Even if you cant read Chinese you can see very clearly in his item description that this account will not last more than 24 hours (the time for his victim to see the charges mounting and then cancel the credit card).

"He claims that he selects 'his' accounts so you can drain at least US $250.00 from them before they get cancelled. He urges you to be fast and buy and download as fast as you can. Start immediately! Keep the download going on for the full 24 hours! There is no warranties on how long it will last! Because he already changed the username and password, the victim can’t stop you.

"There are cheaper ways, of course! You can join a 'frenzy feeding,' where the same hijacked account is sold to several customers. It is much slower and, because it was 'opened' maybe hours ago, it will be much shorter lived. It can be had for RMB1.00 to RMB5.00 (US $0.14 to US $0.74). The most important thing, however, is to BUY fast not to download fast. You can download at leisure during the next weeks. iTunes will not stop you: It will only remind you that your (victim’s) credit card is not working and invite you to update your payment details.

"Then, if you want more applications later on, you just enter in Taobao.com and get again a new account in a few minutes. This is the sad reality. There are a lot of of things Apple could do to stop this, like canceling the hijacked accounts and de-authorizing its computers, making the whole process useless. But for what? This is not a problem for Apple: It is a problem for the credit card industry. The account is right, the payment is right, end of the story. If you claim that someone used your credit card to buy things it is a problem between you and your bank, not between you and Apple!

"Please note that when you are buying like crazy with 'your' new account Apple doesn’t bill directly to the credit card every time you add an item: It bills in batches of around (below) US $50. This is another detail that shows how cunning they are! You buy, buy, and buy. And every time your reach 40-something dollars Apple invoices the card. If it pass, you can keep buying. If not, it stops you from buying more.

"This achieves two things: One, it limits the damage to Apple as they only can get hooked for, at most, US $50. Two, makes the whole system safer for them, as purchases under US $50 are not protected in the States law. And it is funny that if that last transaction doesn’t go through, then is when the rage of Apple comes over you for any item you may have already download before the invoicing point was reached.

"Apple will put a flag on your account and will not allow you to download updates for any of the apps on 'your' account (whatever order they came from) or download the pending episodes of 'your' season passes). In this case, you have no option but to go to Taobao.com and use another procedure.

"There are people (the same people) who saves you time by doing in advance the whole process of providing the user, etc. They’ve already 'opened' an account and used it to purchase one or two US $50.00 gift certificates. You get one (US $1.40) and use it to cover the debt with Apple so they can let you enjoy peacefully the items you 'own.'"

Apple monitoring fraud

Out of the billions of transactions handled by iTunes, it's not surprising that there is considerable fraudulent activity occuring. However, the apparently unchecked fraud being orchestrated on such a wide scale, combined with Apple's very slow response in handling extremely suspicious sales that dramatically distort sales rank as noted in the initial example, shed a very questionable light on Apple's assertion that iTunes is a carefully curated marketplace.

It also calls into question why the company works so hard to carefully review developer titles in some areas while at the same time allowing large amounts of very low quality junkware to be listed by obviously illegitimate "companies" with fake contact information.

(Update: A report by App Store developer Alex Brie on the situation indicates App Store developers have been contacted by Apple's Worldwide Product Marketing senior vice president Phil Schiller, and an investigation is now underway.)