- Scammers in China are hijacking people's Apple IDs and making purchases via an iPhone and Mac feature called "Family Sharing."
- The feature is designed to help families share apps and music, but the scammers are using it lock out the actual owner of the account and buy in-app purchases and iTunes gift cards.
- To protect yourself, you should make sure you have two-factor authentication turned on for your Apple account.
When David tried to download apps on his iPhone and iPad recently, he found he wasn't able to because his account was linked to something called "Family Sharing."
That's a feature that Apple introduced in 2014 to make it easier to share apps, iCloud storage, and iTunes content like music and movies with up to five family members.
But this was news to David, who says he didn't remember turning on Family Sharing. After he dug into his account settings, he received a popup that to remove himself from the Family Sharing account he needed to contact a name that was in Chinese - and he had no way to get in touch.
David called Apple's support line, and they were able to fix the issue for him, but weren't able to tell him exactly why it happened nor anything he could do to keep his account safe in the future, he said. The problem was resolved, but the ordeal "struck me as odd," he told Business Insider in an email.
Not the only instanceIt is difficult to quantify how widespread the account hijacking involving Family Sharing is, but David is notthe onlyperson who has encountered it.
There are a handful of posts on Apple's support forums and Reddit that detail similar stories of accounts that couldn't buy apps or in-app purchases due to issues involving the feature.
One account, from April, is particularly detailed, and even suggests why the hackers might be trying this attack.
It starts when the author, Emmerage, receives an email from Apple saying that someone had purchased an app on his account.
Although he was "wary of phishing scams," he writes that after logging in to his account independently, he discovered someone had changed his name to Chinese characters, and a second account connected to the Apple ID had been buying a bunch of in-app purchases for the app Youku, a Chinese video app, using someone else's credit card and a fake Australian billing address.
From the April post on Apple's support forums:
"I find it difficult to believe that someone would go to that much trouble just to spend $100 on someone else's credit card to buy games and other crap on Youku. Also, I can't see how they would be able to reliably intercept confirmations and so on using a compromised email - there's nothing in trash, and I get my email notifications on my phone, surely I would have seen something? Surely they would have intercepted the purchase email I saw that made me change all the passwords? There has been no suspicious activity at all regarding my email, or the Apple ID until now, and no logins from new devices or anything else I would have expected to get a notification for if someone overseas was accessing any of my accounts."
"The most obvious way that could happen is if a hacker gained control of the victim's Apple ID," Thomas Reed, an Apple-focused researcher at security firm MalwareBytes, told Business Insider in an email. "This could provide a simple way to monetize a hacked Apple ID, and I did notice that one person reporting this kind of issue specifically mentioned he didn't have two-factor authentication turned on."
"So an unauthorized access to the victim's Apple ID account could explain it. In this case, enabling two-factor authentication should prevent that kind of unauthorized access," he continued.
Apple ID usernames and passwords can be an attractive target for scammers, who sometimes use Apple's security features to lock the data on an attacked device and ask for ransom.
Separately, in 2017, police in China reportedly arrested 22 people who resold information related to Apple ID accounts for between 10 and 180 yuan per account, or between $1.50 and $27.
What you can doThere are several potential reasons why this could be happening.
When setting up Family Sharing, the user being added receives an email or text with an option to join or decline, according to Apple. It's possible that many of these people who have reported the problem may have received the notification and mistakenly approved it, although most of the reports online say they believe that didn't happen.
There's another way to add an account to Family Sharing: if the administrator of the family has your password. This is useful for parents and other legitimate Family Sharing users.
But that also means that an attacker could obtain someone's password, perhaps through a fake phishing email or one of the leaked databases out there, and then use that password to take over the Apple ID account.
But if an attacker had your Apple ID and password, that means could gain access to your account directly if two-factor is not turned on. So it's still unclear why the Family Sharing feature is entering into this phenomenon - why would a scammer make purchases with a linked account instead of the original?
There is one solid way to make your Apple ID more secure: by turning on two-factor authentication. That means in order to log in, a password and user ID wouldn't be enough - they'd need a 6-digit code from your phone or another trusted device.
Regardless, it's a reminder that you should practice good account security, especially with important accounts. Don't reuse passwords, don't use bad passwords like "password," and turn on two-factor authentication wherever possible.
Have you noticed Family Sharing-related weirdness on your Apple ID? Do you know what's going on here? Email the author at firstname.lastname@example.org.