Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

Could phishing be behind the thousands of dollars in fraudulent iTunes charges?

By Alvin Soon - on 24 Jul 2018, 6:10pm

Could phishing be behind the thousands of dollars in fraudulent iTunes charges?

Photo courtesy of Chen Yi Ling

Several Apple customers have experienced fraudulent charges on their iTunes accounts. Some of these charges have gone up to thousands of dollars.

Ms. Chen Yi Ling, for example, had over S$4,400 deducted in 27 transactions of S$163.43 from her DBS account on a single day. She says she had not used Apple’s services or products for at least five years.

The fraudulent charges weren’t limited to a single bank. Customers from Maybank and Standard Chartered were also affected.

An Apple spokesperson declined to comment on the matter, except to say that Apple is looking into it. Without official word, there’s no way to know how these customers’ accounts were affected.

Nick FitzGerald, a Senior Research Fellow from security company ESET, has a theory. “We have no further direct evidence other than what has been reported by the media, but from those reports, it seems likely that these fraudulent charges are the outcome of iTunes and/or credit card phishing attacks. iTunes/Apple ID is one of the most common phishing targets as people with iPhones tend to be high-value targets.”

A phishing attack is when a potential victim receives a phishing message and link, either via email, instant messaging, or online posts. If they click on the link, they’ll land on a website that looks like the real thing but is fake. This fake site will ask for them to log in with their user account and password. That’s when the account details are stolen.

“Secondly, many of the iTunes/Apple ID phishing sites not only ask for account credentials, but go on to ask for further information, such as credit card and bank details, and even more personal information such as address, mother’s maiden name, driver’s license details, and so on,” FitzGerald says. “Further, various non-iTunes/Apple ID phishing campaigns are aimed at obtaining credit card (and other banking) details, or login credentials for other popular online services.”

It remains to be seen whether the victims of these fraudulent charges had their accounts stolen via phishing. In the meantime, if you’re worried about having the same happen to you, there are things you can do to protect yourself.

 

How to prevent phishing attacks

Online security is very much like home security — instead of a single line of defense, think of it as having multiple layers. The more layers of protection you set up, the harder it’ll be to phish your details.

  1. Don’t click on suspicious links. This is the foremost defense, but it can be harder than it looks. Some links are obviously suspect, but other links appear harmless. When in doubt, never click. If the message looks legitimate, go to the site via your browser, instead of clicking on the link.
     
  2. Update your devices. Modern browsers are built with anti-phishing protection. It’s always good to update your devices to the latest software and browsers. They often contain security patches to fix bugs and vulnerabilities.
    1. Here’s how to check for updates on macOS.
    2. Here’s how to check for updates on Windows.
    3. Here’s how to check for updates on iOS.
    4. Here’s how to check for updates on Android.
       
  3. Install and run anti-virus. Anti-virus software has evolved. They don’t just weed out viruses, they can also detect phishing sites and block your devices from connecting to them. Here are a couple of solutions you can try.
    1. ESET offers paid anti-virus software for multiple devices.
    2. Malwarebytes offers free and paid tiers for their anti-virus software.
       
  4. Turn on 2-factor authentication. Turning on 2-factor authentication, or 2FA, requires you to enter your password, plus a secret code sent to your smartphone before you can log into an account. If someone manages to steal your password, they still won’t be able to log in without the secret code.
    1. Here’s how to set up 2FA on Apple devices.

Apple a detailed guide on how its users can avoid phishing scams. If you suspect you’ve been a victim of fraudulent charges, Apple has a support page on how to report problems with purchases. We also have a more detailed guide on how to set up digital defense for the everyday person.

Loading...