Mobile

5/27/2014
01:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Apple Users Fend Off Ransom Attacks Against iPhones & Macs

Hack leverages Find My iPhone feature and potential iCloud account compromise to hold devices hostage.

Owners of Mac and iOS devices have found their iPhones and iPads held for ransom through a hack that targets the Find My iPhone and Find My Mac features on these devices to trigger a remote lock of the device.

The Find My iPhone feature is meant to allow users to track missing devices on a map, remotely lock the phone in the event that the device is lost or stolen and display a message so that those who find it will see that custom message. First surfacing in numerous reports in Australia yesterday, this attack claims through the custom message to be perpetrated by an Oleg Pliss, likely a pseudonym given that the most visible person by that name is a software engineer at Oracle. The malicious hacker responsible asks through the displayed message for users to pay $100 through PayPal for the privilege of unlocking their phones.

While early reports showed mostly users in Australia and the UK affected by the ransom attempt, continued posts streaming in through Apple support forums show that US and Canadian users are waking to find their devices held hostage as well. Online scuttlebutt shows that numerous users have been hit by the ransom attack on several of their devices at once and some have been hit more than one on the same device, indicating that the attackers likely broke into the devices through users' iCloud accounts.

It's currently unclear as to how the attacker gained access into these iCloud accounts, and Apple has yet to respond to requests from Dark Reading for commentary on the matter.

"Given the localized nature of the attacks, it's likely that this is a case of password reuse as opposed to Apple servers being compromised," says Michael Sutton, vice president of security research at Zscaler. "It is likely that a third-party database was compromised and authentication credentials stolen that are the same credentials used by the owners of the affected iOS devices."

Apple forum users speculated early on that the hack could have ties to the recent eBay breach of username and passwords, but a number of cases surfacing of users hit who have no eBay accounts makes that an unlikely prospect. At the moment, primarily users who had not set a device passcode are affected by the hack. Those who have been affected report that the best workaround to the situation is to reset and erase the device using recovery mode and restore it via an iTunes backup.

[10 percent of smartphone loss and theft victims lose confidential business information with their stolen devices. Read more in 1 in 10 Smartphone Users Victims of Theft]

"Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought," Sutton says.

While this hack is a slight variation on the most usual ransomware scares, it does bring new awareness to existing security pundit warnings that mobile platforms will increasingly be the target of hacking hostage schemes in the near future. For example, this month stirred renewed interest in CryptoLocker ransomware, which made the jump to Android devices.

"We will continue to see an increase in mobile ransomware attacks until users improve their security procedures -- especially as more and more is done on mobile devices," says Fabian Franco, lead incident responder at Foreground Security, explaining that today's mobile hygiene practices are so bad that users remain open to simple script kiddie attacks. " Users must begin using two-factor authentication as well as complex passwords consisting of upper and lower case letters, numbers and special characters.”

Additionally, given mobile device reliance on cloud engines to run their services, hacks like these that are more closely aligned to server-side account compromise rather than device-side compromise will challenge IT to find better ways to protect corporate devices.

"I do want to point out that none of the iPhone AV or MDM solutions protect against this attack," says Tal Klein, vice president of strategy and marketing at Adallom.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/28/2014 | 9:14:40 AM
Re: More Research
The root cause is still unknown but some of the devices hacked were not password protected, at least the "find my iphone" feature was not protected. True apple does not know how the hack was performed but at least there is some detail.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/27/2014 | 6:04:16 PM
More Research
This article is very interesting and I think it very pertinent to reiterate that the ransom NEED NOT BE PAID because Apple can provide access to your phone without yielding to the ransomware's demands. 

After looking further into this many causes are speculated but none can be explicitly linked. Of these there are Man-in-the-middle attacks that allows users to go to a fake login page, providing the hacker with the icloud credentials. Or another plausible one that I have found is a Joe Job. Providing an offer that seems irresistable and having naive people try to redeem the prize. This is a similar scenario to the IE 8 vulnerability that was discovered recently. 

Whatever the reasoning, more research will need to be done to find the cause. This exploit/ransomware is not devastating because there are ways to mitigate. However, I think the underlying issue that is allowing the ransomware birth will most likely be used for a much more nefarious purpose in the future. This is a very dangerous situation, if the cause cannot be discovered soon.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.