Fraudulent iTunes charges: Third-party sites suspected

Ms Chen Yi Ling, 25, who works in communications, told The Straits Times she had over $4,400 deducted in 27 transactions of $163.43 from her DBS account on July 11. PHOTOS: COURTESY OF CHEN YI LING

Dozens of people who fell victim to a recent series of fraudulent transactions made on the Apple iTunes' platform and App Store could have had their details stolen from third-party websites.

Some were billed up to thousands of dollars through repeated payments made to a single app.

Account holders of banks such as DBS, OCBC, United Overseas Bank, Maybank and Standard Chartered discovered multiple transactions on their credit card statements or money deducted from their debit cards for transactions they did not make to the Apple App Store this month.

OCBC Bank's head of credit cards Vincent Tan said the unusual transactions in some cardholders' accounts were a result of issues on third-party websites, and that the bank is investigating. He did not name the websites.

"We advise cardholders to be vigilant when transacting on third-party sites and to contact the bank the moment they notice any suspicious activity on their card accounts," he said.

In some cases, thousands of dollars had been deducted from debit cards or charged to credit cards before the cards were blocked.

Ms Chen Yi Ling, 25, who works in communications, found $4,412.61 deducted from her DBS debit card account after 27 transactions of $163.43 each were made on July 11.

Fraudsters could have obtained users' private information, such as e-mail addresses, credit card details, user names and passwords, directly through phishing, in which they trick users into typing their personal details into realistic-looking but fake websites.

Or they could have purchased such information in bulk from hackers who put up the data they have stolen from firms for sale online.

"The fraudsters now have enough of the victim's credit card details to enter those payment details into their own or a fake iTunes account and charge purchases up to the victim's credit card limit," said Mr Nick FitzGerald, a senior research fellow at cyber-security company ESET.

These fraudsters then make payments to an app that they own or are connected to, and cash out the money before being detected. They make repeated small transactions to avoid detection.

"Banks may not trigger their anti-fraud measures for 'small' transactions, feeling that the nuisance factor to their customer is higher than the likely cost to the bank of occasional fraud that abuses just that mechanism," said Mr FitzGerald.

OCBC's Mr Tan said earlier the bank had detected and investigated unusual transactions on 58 cardholders' accounts early this month.

An Apple spokesman said the company is "looking into the matter", and declined to say how many user accounts have been affected, citing ongoing investigations.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on July 24, 2018, with the headline Fraudulent iTunes charges: Third-party sites suspected. Subscribe