iTunes users should strengthen iTunes passwords following second hack

It’s been a second bad weekend for Apple, following another alleged app-driven hack of its iTunes store. iTunes users should now change the password on their iTunes account as well as switching to a prepaid debit card for the service.

Over the weekend, reports have been coming in that a second developer has been using a similar approach to the Vietnamese group, which appears to have ramped a range of apps with similar names to the top of a section on the App store, said Barmak Meftah, Fortify’s chief products officer.

“Over the 4th of July weekend, a Vietnamese group used the same strategy to ramp its apps to the top of the book charts on the App Store. This time around it seems it’s the travel section that’s been hit,” he said.

“The clever aspect of this hacking strategy is that iTunes members will see an app at the top of the charts and download it, if only to see what all the fuss is about, and then open themselves up to a obfuscated malware infection or, more likely, see their iTunes account details being lifted and misused,” he added.

Meftah went on to say that, whilst Apple will almost certainly stomp on this iTunes hacking methodology from a great height, the modus operandi is similar to that used by trending malware coders, who continually check online search trends and pump out malware via a range of hastily-registered infected Web sites.

It all comes down to raising the profile of an infected piece of code or Web site until a group of online users sees the code or Web site and thinks `Ooh – that looks interesting,’ and then infects their computer with a trojan or similarly nasty piece of malware, he explained.

According to the Fortify chief products officer, if – as seems likely – the Apple iTunes avenue of infection is closed off from the hackers, then other approaches will be tried, such as tapping hashtagged topics on Twitter and inserting poisoned links to lure the unwary into visiting infected Web pages.

Meftah says that using a pre-paid debit card such as the Paypal Visa top-up card – which can be loaded from a Paypal account, which itself can be funded by a conventional debit or credit card, without surcharge – makes a lot of sense for use on online sites like iTunes.

“I think we are going to see a lot more innovative infection methodologies like the iTunes developer hacks. The problem is that the Internet’s Web 2.0 structure is too open to lock down completely, so users and Web site operators need to take precautions,” he said.

“This goes way beyond ensuring your computer has IT security software installed. It’s about thinking about Internet safety and taking steps to defend your digital assets. E-commerce portal operators like Apple have their part to play as well, and should invest a larger slice of their profits in on-site security,” he added.

“It’s perhaps fortunate for Apple that iPad and iPhone users can only source apps for their device through the iTunes service, as otherwise there will be a lot of members heading for the exit as a result of this problem.”