Itunes hacked

Page may contain affiliate links. Please see terms for details.

davidjpowell

MB Enthusiast
Joined
Nov 8, 2007
Messages
4,923
Location
Doncaster
Car
E350 w212 and Ford Ranger
Looks like my Itunes account has been hacked. About £80 worth of movies been purchased over the last few days.

A fairly unhappy me. I've changed the password, and de-authorised all the pc's, and also sent an email to Apple.

Not sure what else I can do, other than rely on Apples' goodwill with relation to the purchases.

grrr.
 
You should get your Credit card company involved - or bank / building society if Debit Card - they should be able to offer some advice and in some cases also compensation.
 
Looks like my Itunes account has been hacked. About £80 worth of movies been purchased over the last few days.

A fairly unhappy me. I've changed the password, and de-authorised all the pc's, and also sent an email to Apple.

Not sure what else I can do, other than rely on Apples' goodwill with relation to the purchases.

grrr.

How guessable was your password? There is a huge and freely available password cracking file (3GB) that the hackers play with. There are bigger ones, 40GB or more!

I'm not aware Itunes have any security issues at present.

Make sure your passwords are long, at least 15 chrs, upper and lower case and a couple of special characters . For example mb:clUB)merSAYdes

Hard to remember, but uncrackable unless you are MI5.
 
^ thats a good idea....

However I don't know about anyone else but how many on line passwords do you have?

I struggle to remember fairly simple ones for different accounts I have...

So in reality having pa5$wo:rd@s such as you suggest would be very difficult and probably mean you would write them down near the PC /laptop or keep them on a file on your computer.

I agree thats credit card fraud surely the banks will cover this?
 
Use a pass-phrase instead. Easier to remember, harder to crack
 
Maybe not your current car but a regn number is probably easliy remembered but hard to crack.
 
^ thats a good idea....

However I don't know about anyone else but how many on line passwords do you have?

I struggle to remember fairly simple ones for different accounts I have...

So in reality having pa5$wo:rd@s such as you suggest would be very difficult and probably mean you would write them down near the PC /laptop or keep them on a file on your computer.

I agree thats credit card fraud surely the banks will cover this?

It probably isn't credit card fraud, but itunes may welll be nice about it.

Password control is a tricky area. Writing them down isn't generally a good idea.

Personally, I have a standard, secure password, well, phrase including mis-spellings with a suffix/prefix that is site specific .

It is scarily easy to become a sophisticated hacker, download a hacking system, and the user guides from youtube.

pa5$wo:rd@s is good, but add mbc on the end for mb club or eby for ebay.
 
Tough, having any accounts hacked. :(

A while ago, my ISP banned me because something like 40 million e-mail messages were sent from my account in a couple of hours. I had hoped that it would be clear that I was not sitting and writing them... how and ever, my account had been hacked and used for SPAM on a grand scale. Therafter, I educated myself about passwords, passphrases and encryption and I finally succumbed and bought some specific software named OnePassword.

It is trivially easy to brute force passwords. This document shows how easy it is to attack a password. I now let One Password take care of all of my password needs. Below is an example password file generated by the software which I use. It can simultaneously use digits, symbols, characters in upper and lowercase as well as doubling of all symbols and characters used. The 50 character example passphrase below is effectively unbreakable by any current computer attack methods. It cannot be guessed and it has no pattern to be broken down.

I now take my security seriously and never again will any of my accounts be hacked. The One Password software is fully functioning during a 30 day trial and it works with several web browsers. I don't work for Agile Web Solutions but I am a very happy customer.

p#f27g9X]6u}%a3i;7,C{XvAjwt3oQjVd/kimh9uhA@Qx67*wn
 
As mentioned before, password vaults are a great idea.

That said, it is highly unlikely that your password was brute forced. Apple, like most (all?) major service providers have methods in place to prevent brute force attacks. These are usually timeouts (e.g. after 3 tries you cannot log in, even with the right password for 1 minute), account locks (after 3 tries the account is disabled until you call tech support), and similar time consuming methods. The idea is, trying 3-10 passwords might take you a few minutes, which is acceptable to you... but trying hundreds of thousands would take too long.

It is more likely that you installed a trojan (many of these floating around for both Mac and Windows), or you fell for a phishing attack of some sort (received any emails recently asking you to log into iTunes?)

Statistically speaking, Apple users are much more likely to fall for a phishing attack, in to be accurate, they are 7 times more likely to fall for a phishing attack than a windows user (the report isn't published yet... wait a few weeks and I'll get you a source... just finished writing it after 2 years of research!)

Anyhow, back to the point, if you do happen to have a trojan, most password vaults are rendered useless as they emulate a keyboard to type the password in for you (or require copy&paste). In which case a keylogger can skim the password anyhow.

On a side note, Jepho - I seem to remember hearing that 1password had a flaw whereby not all data was encrypted... I may be wrong. I'll look it up when I have more time,

M.
 
As mentioned before, password vaults are a great idea.

That said, it is highly unlikely that your password was brute forced. Apple, like most (all?) major service providers have methods in place to prevent brute force attacks. These are usually timeouts (e.g. after 3 tries you cannot log in, even with the right password for 1 minute), account locks (after 3 tries the account is disabled until you call tech support), and similar time consuming methods. The idea is, trying 3-10 passwords might take you a few minutes, which is acceptable to you... but trying hundreds of thousands would take too long.

It is more likely that you installed a trojan (many of these floating around for both Mac and Windows), or you fell for a phishing attack of some sort (received any emails recently asking you to log into iTunes?)

Statistically speaking, Apple users are much more likely to fall for a phishing attack, in to be accurate, they are 7 times more likely to fall for a phishing attack than a windows user (the report isn't published yet... wait a few weeks and I'll get you a source... just finished writing it after 2 years of research!)

Anyhow, back to the point, if you do happen to have a trojan, most password vaults are rendered useless as they emulate a keyboard to type the password in for you (or require copy&paste). In which case a keylogger can skim the password anyhow.

On a side note, Jepho - I seem to remember hearing that 1password had a flaw whereby not all data was encrypted... I may be wrong. I'll look it up when I have more time,

M.

Phishing attacks require the explicit action of the user. Anyone who blithely hands root privileges to an external request for them is just asking for trouble (and usually, they will get it too) so I guess that both the likelihood and the susceptibility of users is going to look fairly even across all platforms, relative to market share. Only geeks will be safe on all platforms.

I also recall a One Password issue in the early days but I do believe it has been fixed now. I think the best thing to do is take responsibility for your online security,. Many people who don't would not use a lock on their house or car if they new thousands of other people in their location had the same keys.

A sobering page from Wikipedia on the cracking of passwords.
 
Phishing attacks require the explicit action of the user. Anyone who blithely hands root privileges to an external request for them is just asking for trouble (and usually, they will get it too) so I guess that both the likelihood and the susceptibility of users is going to look fairly even across all platforms, relative to market share. Only geeks will be safe on all platforms.

McAfee's statistics were 5% of users who get a phishing email will give away credentials... it's rare that phishing attacks ask for root credentials. I was suggesting that the phishing attack asked for the iTunes account credentials which can then be used on any machine around the world.

Trojans require user interaction as well, but usually these require root access.

Regarding geeks being "safe"... RSA would beg to differ... admittedly, it was a spear phishing attack (i.e. one where it was targeted and tailored for the recipient - usually with some prior knowledge, in this case gained from social networks)

Anyhow - point is, phishing attacks can be VERY sophisticated. To the point that the head of security of a global IT security company couldn't identify some of the obfuscated URLs used in phishing attacks during a presentation I did a few years ago...

M.
 
So how do I make sure that my PC is secure?

I changed the password for Itunes last night from a different PC.
 
Forgot to add. At the end of the desirability list for me is to wipe the drive and start again... That means 4 (or maybe even 5) PC's need wiping and formatting. Not something I am keen to do
 
McAfee's statistics were 5% of users who get a phishing email will give away credentials... it's rare that phishing attacks ask for root credentials. I was suggesting that the phishing attack asked for the iTunes account credentials which can then be used on any machine around the world.

Trojans require user interaction as well, but usually these require root access.

5% is a huge number. Of course, you are correct. I had confused phishing with trojans. I find it hard to understand the people who will willingly say yes to anything that appears on their computers.

Regarding geeks being "safe"... RSA would beg to differ... admittedly, it was a spear phishing attack (i.e. one where it was targeted and tailored for the recipient - usually with some prior knowledge, in this case gained from social networks)

Anyhow - point is, phishing attacks can be VERY sophisticated. To the point that the head of security of a global IT security company couldn't identify some of the obfuscated URLs used in phishing attacks during a presentation I did a few years ago...

M.

Clearly, you know a lot more about the security side of IT than I do. I used the word 'geek' as a way of defining a group of people who understand all of the holes available to the determined hacker... black hat rather than tin foil hat. I realise that there are a lot of competent individuals within the IT industry, who are holding down quite responsible jobs. Where they are not 'geek' then they are just as likely to create problems as I am. ;)
 
So how do I make sure that my PC is secure?

I changed the password for Itunes last night from a different PC.

Forgot to add. At the end of the desirability list for me is to wipe the drive and start again... That means 4 (or maybe even 5) PC's need wiping and formatting. Not something I am keen to do

Changing your iTunes password was clearly necessary. Hopefully, there are enough pieces of advice in this thread to ensure that you did that securely. I would also go much further than that, especially given that you have several computers to look after. You have no idea how your account was compromised and you should do a root and branch (pun not intended) excision of anything that requires a password. This means reviewing all passwords on all of your computers because you cannot be sure how the account was hacked. It may be that you have a key logger somewhere on your system.

As a piece of good practice you may consider is actively changing all of your passwords on a regular basis. A password vault makes this act very easy. I would also consider asking your bank to reissue all of your debit/credit cards, especially any that are attached to your iTunes account. Make regular and complete backups of anything that is valuable to you.

Consider buying a password vault and make it as difficult as you can for the determined crook to obtain your passwords. Don't ever share passwords with anyone else (trusted friends may accidentally leave them written down) and do not use patterns or personal data as a password. Random is your friend and the more difficult you can make it, empirically speaking, the longer you will stay safe. Having had my e-mail account attacked previously (with the resultant chaos and informing my list of contacts that I was no longer going to use those addresses) I expunged all and I wont be opening my computers to anyone again.

As stated elsewhere... if I do not know the sender (on my personal white list) then it gets ruthlessly binned before I see it. My friends do not send me links or round robin e-mail messages and I don't randomly explore the internet. We are all presenting possible opportunities to cyber-criminals and just as we leaned that you don't walk down the street waving your wealth about, we must learn that the cyber equivalent is also a way of attracting the wrong kinds of attention.
 
Clearly, you know a lot more about the security side of IT than I do. I used the word 'geek' as a way of defining a group of people who understand all of the holes available to the determined hacker... black hat rather than tin foil hat. I realise that there are a lot of competent individuals within the IT industry, who are holding down quite responsible jobs. Where they are not 'geek' then they are just as likely to create problems as I am. ;)
As a penetration tester and security consultant, I do this day in and day out :p "Hacking" is my job :p If you bank with a major UK bank (or have a credit card), your bank has most likely been tested by myself or someone in my team at some point in time.

So how do I make sure that my PC is secure?

I changed the password for Itunes last night from a different PC.
I'm assuming that as you say PC you mean a windows machine, right? First step is to ensure you have a good, up-to-date anti-malware solution (Norton, McAfee, NOD32, etc. The specifics I leave to you - I'm a fan of NOD32 for a home environment, but as I work for one of the rivals I shouldn't recommend it :p)

Next is to run a full scan with that tool, as well as a specific anti-malware solution like Spybot S&D, Lavasoft's AdAware or Malwarebytes MBAM. I can post links for all of these if you wish; make sure you are downloading them from the official site as there are LOTS of clones around that are actually trojans.

If you've done all that, you'll want to check your email - could someone have gotten into your email and gotten a password reminder for iTunes? Good idea would be to change your password for the email as well as iTunes.

Next, contact apple and explain to them the whole 9-yards. They'll give you some advice and MAY refund you. I emphasize may, as I've seen it go both ways.

One final point before I go and do some spring cleaning... what sort of movies were they? Could they be something someone else in the household ordered? A kid, or friend passing by?

Anyhow, good luck!

M.

P.S. A nice trick I use for passwords is to pick a sentence, like "Julia Roberts is a very pretty woman!" and take the first letter from each word (or first and last). So:
JRiavpw!
or
JaRsisavypywn!

You can then throw in a number if you wish (or choose a sentence with a number; e.g. "This is my 1st work machine." : Tim1wm.

The passwords would be uncrackable with a dictionary, and a brute force would take unreasonably long (assuming it's not an offline attack).

M.
 
Changing your iTunes password was clearly necessary. Hopefully, there are enough pieces of advice in this thread to ensure that you did that securely. I would also go much further than that, especially given that you have several computers to look after. You have no idea how your account was compromised and you should do a root and branch (pun not intended) excision of anything that requires a password. This means reviewing all passwords on all of your computers because you cannot be sure how the account was hacked. It may be that you have a key logger somewhere on your system.

As a piece of good practice you may consider is actively changing all of your passwords on a regular basis. A password vault makes this act very easy. I would also consider asking your bank to reissue all of your debit/credit cards, especially any that are attached to your iTunes account. Make regular and complete backups of anything that is valuable to you.

Consider buying a password vault and make it as difficult as you can for the determined crook to obtain your passwords. Don't ever share passwords with anyone else (trusted friends may accidentally leave them written down) and do not use patterns or personal data as a password. Random is your friend and the more difficult you can make it, empirically speaking, the longer you will stay safe. Having had my e-mail account attacked previously (with the resultant chaos and informing my list of contacts that I was no longer going to use those addresses) I expunged all and I wont be opening my computers to anyone again.

As stated elsewhere... if I do not know the sender (on my personal white list) then it gets ruthlessly binned before I see it. My friends do not send me links or round robin e-mail messages and I don't randomly explore the internet. We are all presenting possible opportunities to cyber-criminals and just as we leaned that you don't walk down the street waving your wealth about, we must learn that the cyber equivalent is also a way of attracting the wrong kinds of attention.

Good advice, but there is a balance to be had. I recieve business from people I do not know so cannot refuse emails, although I would hope that my virus software would deal with that...

MSE has just reported some malware, which seems very co-incidental. It's cleaned it - now I need to go do some password changing...
 
As a penetration tester and security consultant, I do this day in and day out :p "Hacking" is my job :p If you bank with a major UK bank (or have a credit card), your bank has most likely been tested by myself or someone in my team at some point in time.


I'm assuming that as you say PC you mean a windows machine, right? First step is to ensure you have a good, up-to-date anti-malware solution (Norton, McAfee, NOD32, etc. The specifics I leave to you - I'm a fan of NOD32 for a home environment, but as I work for one of the rivals I shouldn't recommend it :p)

Next is to run a full scan with that tool, as well as a specific anti-malware solution like Spybot S&D, Lavasoft's AdAware or Malwarebytes MBAM. I can post links for all of these if you wish; make sure you are downloading them from the official site as there are LOTS of clones around that are actually trojans.

If you've done all that, you'll want to check your email - could someone have gotten into your email and gotten a password reminder for iTunes? Good idea would be to change your password for the email as well as iTunes.

Next, contact apple and explain to them the whole 9-yards. They'll give you some advice and MAY refund you. I emphasize may, as I've seen it go both ways.

One final point before I go and do some spring cleaning... what sort of movies were they? Could they be something someone else in the household ordered? A kid, or friend passing by?

Anyhow, good luck!

M.

P.S. A nice trick I use for passwords is to pick a sentence, like "Julia Roberts is a very pretty woman!" and take the first letter from each word (or first and last). So:
JRiavpw!
or
JaRsisavypywn!

You can then throw in a number if you wish (or choose a sentence with a number; e.g. "This is my 1st work machine." : Tim1wm.

The passwords would be uncrackable with a dictionary, and a brute force would take unreasonably long (assuming it's not an offline attack).

M.

I did wonder about the kids, especially as the 5 year old has just discovered that we can download games. But the time of the orders was such that we were tucked up in bed, and the films with the one exception, not something that any of them would download.

Quite peeved really. We did randomly have to sign in to one Itunes account differently last week. I think that must have had something to do with it.
 
As a penetration tester and security consultant, I do this day in and day out :p "Hacking" is my job :p If you bank with a major UK bank (or have a credit card), your bank has most likely been tested by myself or someone in my team at some point in time.


I'm assuming that as you say PC you mean a windows machine, right? First step is to ensure you have a good, up-to-date anti-malware solution (Norton, McAfee, NOD32, etc. The specifics I leave to you - I'm a fan of NOD32 for a home environment, but as I work for one of the rivals I shouldn't recommend it :p)

Next is to run a full scan with that tool, as well as a specific anti-malware solution like Spybot S&D, Lavasoft's AdAware or Malwarebytes MBAM. I can post links for all of these if you wish; make sure you are downloading them from the official site as there are LOTS of clones around that are actually trojans.

If you've done all that, you'll want to check your email - could someone have gotten into your email and gotten a password reminder for iTunes? Good idea would be to change your password for the email as well as iTunes.

Next, contact apple and explain to them the whole 9-yards. They'll give you some advice and MAY refund you. I emphasize may, as I've seen it go both ways.

One final point before I go and do some spring cleaning... what sort of movies were they? Could they be something someone else in the household ordered? A kid, or friend passing by?

Anyhow, good luck!

M.

P.S. A nice trick I use for passwords is to pick a sentence, like "Julia Roberts is a very pretty woman!" and take the first letter from each word (or first and last). So:
JRiavpw!
or
JaRsisavypywn!

You can then throw in a number if you wish (or choose a sentence with a number; e.g. "This is my 1st work machine." : Tim1wm.

The passwords would be uncrackable with a dictionary, and a brute force would take unreasonably long (assuming it's not an offline attack).

M.


Most excellent advice, but you missed a major weakness - the user:)

I'd add the following. Never open email that looks dodgy, never click on a link in an email, always close popups from task manager and don't click them anywhere.

Don't visit dodgy websites or download from them. If you are unsure about a website, do a WHOIS on it and see if the registration looks wrong.

Just be suspicious.
 
As a penetration tester and security consultant, I do this day in and day out :p "Hacking" is my job :p If you bank with a major UK bank (or have a credit card), your bank has most likely been tested by myself or someone in my team at some point in time.

Aha!, I thought so. Black hat then. The cyber frontier is wide open and I went *nix when I could no longer stand fighting with Windows 95. Slackware, SuSe and Red Hat Linux was my introduction to the power behind *nix and my own GUI laziness (goodbye X windows, Motif, KDE and Gnome) mandated OS X, which is where I am now. :)
 

Users who are viewing this thread

Back
Top Bottom