The BBC reports that a web scam is affecting a number of iTunes accounts that are linked to PayPal. Amounts ranging up to $4,700 were reported on Twitter and through Techcrunch as being stolen.
All signs point to users falling for an online scam known as phishing. People will get e-mails that look similar to those from official sources urging them to change their user name and password for security reasons. They'll be redirected to a fake website which collects the credentials.
The perpetrators then use the information to engage in further scams, such as the royalty scam we reported on earlier today. MobileMe was a target for phishing in the past. There are also new ways of ferreting this information being developed, such as tabnabbing that could even fool those who are familiar with these sorts of scams.
One of the best defenses against phishers on a Mac is to invest in 1Password. If you click on a fraud e-mail and it tries to get you to change a password, it's going to detect the phishing site and steer you away.
Otherwise, use common sense. Neither Apple, PayPal or any legitimate company will send you an e-mail asking for personal account information. If you get an e-mail asking for your full name, Social Security Number, credit and/or debit card numbers, passwords, etc., it is always fraud. Likewise, never click on an e-mail link to access your account. Go directly to the web site itself. If you have a parent or child that is not web-savvy, double check to make sure that they have not fallen for any of these scams.
If you are a victim of this, contact PayPal immediately. The company told the BBC that it will reimburse any unauthorized charges.
[All Things D reports that Apple is denying any iTunes-specific security breaches, adding to the likelihood that the account credentials were phished. –Ed.]