Apple said a full fix for the hack, which allows users to "complete" in-app purchases without really paying, would not be available until iOS 6. At the same time, it detailed a workaround to developers. Apple sent developers an email including a link to a webpage containing detailed methodology through which they could ensure that Borodin's method wasn't leeching their revenue.
Simplistically, Borodin's method works by redirecting requests to Apple's servers to his own, where he can issue bogus purchase completion notifications back to the app. It's a little more complex than that, including modifying DNS settings on the device, which must also be attached to a wi-fi network, but that's it in a nutshell. iOS 6 will, Apple said, completely fix the issue.
However, Borodin has expanded the war by moving on to Mac OS X. The "In-Appstore for OS X" service that he is now running uses a method that is very similar to that used in his prior iOS hack to spoof completed transactions.
For Mac OS X, there is a companion app called "Grim Receiper" that must be run on the local machine. Aside from that, it's nearly identical to the iOS method. After installing two local certificates, an end user modifies their DNS settings to point to Borodin's server which pretends to be the Mac App Store, and issues "validation" of the purchase.
It's clear from the stats, if they are correct, that human nature being what it is, it's hard for people to pass up a freebie, despite the fact that it hurts the developers - who can probably ill afford it - more than Apple, who probably can.