Mobile
5/27/2014
01:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Apple Users Fend Off Ransom Attacks Against iPhones & Macs

Hack leverages Find My iPhone feature and potential iCloud account compromise to hold devices hostage.

Owners of Mac and iOS devices have found their iPhones and iPads held for ransom through a hack that targets the Find My iPhone and Find My Mac features on these devices to trigger a remote lock of the device.

The Find My iPhone feature is meant to allow users to track missing devices on a map, remotely lock the phone in the event that the device is lost or stolen and display a message so that those who find it will see that custom message. First surfacing in numerous reports in Australia yesterday, this attack claims through the custom message to be perpetrated by an Oleg Pliss, likely a pseudonym given that the most visible person by that name is a software engineer at Oracle. The malicious hacker responsible asks through the displayed message for users to pay $100 through PayPal for the privilege of unlocking their phones.

While early reports showed mostly users in Australia and the UK affected by the ransom attempt, continued posts streaming in through Apple support forums show that US and Canadian users are waking to find their devices held hostage as well. Online scuttlebutt shows that numerous users have been hit by the ransom attack on several of their devices at once and some have been hit more than one on the same device, indicating that the attackers likely broke into the devices through users' iCloud accounts.

It's currently unclear as to how the attacker gained access into these iCloud accounts, and Apple has yet to respond to requests from Dark Reading for commentary on the matter.

"Given the localized nature of the attacks, it's likely that this is a case of password reuse as opposed to Apple servers being compromised," says Michael Sutton, vice president of security research at Zscaler. "It is likely that a third-party database was compromised and authentication credentials stolen that are the same credentials used by the owners of the affected iOS devices."

Apple forum users speculated early on that the hack could have ties to the recent eBay breach of username and passwords, but a number of cases surfacing of users hit who have no eBay accounts makes that an unlikely prospect. At the moment, primarily users who had not set a device passcode are affected by the hack. Those who have been affected report that the best workaround to the situation is to reset and erase the device using recovery mode and restore it via an iTunes backup.

[10 percent of smartphone loss and theft victims lose confidential business information with their stolen devices. Read more in 1 in 10 Smartphone Users Victims of Theft]

"Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought," Sutton says.

While this hack is a slight variation on the most usual ransomware scares, it does bring new awareness to existing security pundit warnings that mobile platforms will increasingly be the target of hacking hostage schemes in the near future. For example, this month stirred renewed interest in CryptoLocker ransomware, which made the jump to Android devices.

"We will continue to see an increase in mobile ransomware attacks until users improve their security procedures -- especially as more and more is done on mobile devices," says Fabian Franco, lead incident responder at Foreground Security, explaining that today's mobile hygiene practices are so bad that users remain open to simple script kiddie attacks. " Users must begin using two-factor authentication as well as complex passwords consisting of upper and lower case letters, numbers and special characters.”

Additionally, given mobile device reliance on cloud engines to run their services, hacks like these that are more closely aligned to server-side account compromise rather than device-side compromise will challenge IT to find better ways to protect corporate devices.

"I do want to point out that none of the iPhone AV or MDM solutions protect against this attack," says Tal Klein, vice president of strategy and marketing at Adallom.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/28/2014 | 9:14:40 AM
Re: More Research
The root cause is still unknown but some of the devices hacked were not password protected, at least the "find my iphone" feature was not protected. True apple does not know how the hack was performed but at least there is some detail.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/27/2014 | 6:04:16 PM
More Research
This article is very interesting and I think it very pertinent to reiterate that the ransom NEED NOT BE PAID because Apple can provide access to your phone without yielding to the ransomware's demands. 

After looking further into this many causes are speculated but none can be explicitly linked. Of these there are Man-in-the-middle attacks that allows users to go to a fake login page, providing the hacker with the icloud credentials. Or another plausible one that I have found is a Joe Job. Providing an offer that seems irresistable and having naive people try to redeem the prize. This is a similar scenario to the IE 8 vulnerability that was discovered recently. 

Whatever the reasoning, more research will need to be done to find the cause. This exploit/ransomware is not devastating because there are ways to mitigate. However, I think the underlying issue that is allowing the ransomware birth will most likely be used for a much more nefarious purpose in the future. This is a very dangerous situation, if the cause cannot be discovered soon.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.