Scammer Pulls One on Apple
It has recently come to light that Apple Developer Connection simply gave away the password to Marko Karppinen's account. He is the CEO of MK&C, a software development studio based in Helsinki, Finland, which designs and develops Mac software. How could such a thing happen? Well, it seems that all the scammer had to do was send a poorly worded message to Apple.
A couple of days back Marko Karppinen found, much to his surprise, that he could not log in to Apple Developer Connection. Although his username and password did not match and had been obviously changed, he was able to regain access to his account by answering the security question, which was unmodified. Upon further inspection, he found this message in his .Mac mailbox:
"am forget my password of mac,did you give me password on new email marko [redacted]@yahoo.com"
It would seem that the attacker sent this e-mail to Apple, thus managing to obtain the necessary info to access the account. Hackers normally try to obtain this sort of info through a phishing attack on the user, or a hack on the service provider. Even a data leak would be a more reasonable way to obtain private info. Why bother with such time and resource consuming efforts when all you have to do is ask, and the Apple team will provide? With one poorly worded sentence the attacker gained access to Marko's e-mail account, iTunes Store account, iDisk, iPhone Developer Program, .Mac synchronizations, credit card info, and last but not least his ACD Premier membership which is worth about $3,000.
"Frankly, this makes me so angry that I can't see straight. Can you even begin to appreciate the amount of work I need to do to re-secure all the information that you have compromised? How do you propose to restore confidence that I, or indeed anyone, should ever store anything confidential on your systems again?" says Marko Karppinen on his blog.
The Apple Developer Connection's European support team contacted Marko and told him they would do everything in their power to fix the problem as soon as possible. They expressed their deepest regret in the matter and said incidents like this should not have happened.
Marko's latest post states that Apple has not re-contacted him yet, although a considerable amount of time has passed. "The account continues to get password reset requests, but as people have pointed out, those are harmless unless someone at Apple overrides the procedure manually."
Post a Comment