14 DAY TRIAL // As much as 50,000 iTunes accounts containing credit card details are being sold on TaoBao, the Chinese equivalent of eBay, for prices as low as 1 yuan ($0.15).
The sellers advertise the ability to download anything from software to music, games, movies and so on, but warn that the accounts should be used within 24 after being bought.
This is because the legitimate owners will likely notice the fraudulent transactions and cancel their credit cards or change the passwords.
One of the people involved in the scheme admitted to a Global Times reporter who discovered and investigated the problem, that the accounts were stolen.
"Of course these accounts are hacked, otherwise how could they be so cheap?" he said. However, he refused to say how they were obtained.
The most likely possibility are phishing attacks or infections with password stealing malware. Just last month we reported about a wave of fake iTunes emails warning users that their accounts will be suspended if they don't contact the support department.
The advertised link took people to a drive-by download website mimicking an Apple support article which silently tried to infect their computers with malware by exploiting vulnerabilities in outdated Flash Player and Java installations.
Another possibility is that fraudsters used stolen credit card details to create the iTunes accounts themselves. The Global Times reporter paid $5 for an account which contained the billing information of an US resident.
However, the fact that there have been a lot of reports in the past couple of months from people who claim that their iTunes accounts were misused to make unauthorized purchases, suggests that these were legit in the first place.
"Regardless of precisely how the cybercriminals selling access to the iTunes accounts managed to gain control over them, my advice is that you ensure that you have chosen a secure, non-dictionary word as your iTunes password that you never share with any other person or website," advises Graham Cluley, senior technology consultant at Sophos.