Posted on 07/08/2016 10:46:39 PM PDT by Swordmaker
p>Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian.
Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts.
Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple."How to respond to ransomware threats
The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."
Salted Hash reached out to Apple for comments, we'll update this article if they respond.
Update: Sources familiar with these types of attacks, speaking on background with Salted Hash, have said the victim count of 40 million is likely way overblown. Their reasoning is sound too, because even if only a small percentage of the list were being attacked, a few hundred thousand victims within a few months would standout like a beacon. In short, there would be no way to keep such attacks under the radar.
For now, let's assume there hasn't been a massive iCloud data breach. If that's the case, then how are these users being compromised?
In 2014, someone (or perhaps more than one person) using the name "Oleg Pliss" held an unknown number of Australian Apple devices for ransom, demanding a payment of $100.
The Russian Interior Ministry announced in June of 2014 that two people were arrested for blocking Apple devices to extort funds. With those arrests, it was assumed the scams were finished.
But since at least February of this year, the scams have returned and the most recent cases are targeting users in Europe and the United States, but the methods used by the attackers are the same ones that were popular two years ago.
It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim's device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.
In each of the cases reported publicly, the ransom demanded is usually $30 to $50. If a victim contacts the referenced email address, in addition to payment instructions, they're told they have 12 hours to comply or their data will be deleted.
On July 1, Alanna Coca noticed her iPad had started beeping. When she opened the cover, the lock screen had a message displaying a phrase in Russian – "Dlya polucheniya parolya, napshite na email" – followed by a Gmail address.
Roughly translated, the phrase was telling her that in order to receive a password, she'll need to email the address displayed.
Speaking to Salted Hash, Coca explained that when she logged into iCloud, her iPad had been placed offline and she was unable to communicate with it. Apple Support eventually helped her resolve the problem, which required a factory reset.
On July 4, a woman in Kentucky asked friends on Facebook if they knew how to "disable the lost iPad feature, when you didn't activate it, it's no longer on your iCloud, and the ransom is in Russian?"
It's unclear if she was able to restore her device.
In June, someone on Reddit reported their iCloud account was compromised and a ransom demand in Russian had appeared on their iPhone. Unfortunately, they didn't have current backups, so a factory reset would erase all of their saved data.
In fact, there were a least five other incidents reported in June. All of them had the same ransom demand and required contact with one of two different Gmail accounts.
On May 14, a software tester in Sterling, VA posted a blog about his experience with the ransom demands, after his Apple ID was compromised. That same day, another victim posted a warning on Facebook, urging friends to protect their iCloud accounts because of the same situation.
"Luckily I didn't have many apps loaded or lost," Coca said in an email to Salted Hash.
"It seems to be perfectly fine now," she added, explaining the aftermath of the incident. "I have since added 2-step authorization. I'm blaming my laziness in having the same password on several accounts (including recently-hacked LinkedIn)."
It isn't clear if recycled passwords are to blame in the most recent ransom cases, but it wouldn't be a stretch to assume so, as this was the suspected cause in 2014 too.
Recently, hundreds of millions of compromised usernames and passwords were published online. They come from services such as LinkedIn, iMesh, VK.com, MySpace, Badoo.com, and more. The odds that some of those leaked credentials are tied to active Apple IDs are good, and the LinkedIn list has already been tied to additional data breaches.
However, even if the leaked lists are not the source of the latest ransom demands, it's possible that Apple IDs were compromised during Phishing attacks or a recent data breach, such as the one at Mac-Forums.com.
According to the ad, the Mac-Forums.com database (one of three databases from a single company that's been compromised) is available for just ~$775.00. The website currently has 291,214 members.
HotScripts.com (1,000,000+ records) was also recently compromised, that database is selling for ~$1,900. These two databases could contain plenty of Apple IDs and recycled passwords.
Apple has published some advice for users who feel their Apple ID has been compromised. In addition, they encourage users to pick a unique password that is only tied to their Apple ID, as well as the usage of two-factor authentication and two-step verification.
Pinging dayglored, Shadow Ace.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
It is agreed by all in the know that the 40 million hacked or phished iCloud accounts is bogus. There is no way that many could go un-remarked. . . even a few thousand would make headlines and that has not happened.
Even the number of “lost” iPhones and iPads being held for ransom seem to be in the low hundreds if even that.
Remember it requires the iCloud passcode be phished from an unsuspecting victim for this to work at all.
My cloud is a small black box sitting on my desk.
As much as osx tries to get me in ‘the cloud’ I’ve never done so and don’t expect to ever put my data in a server somewhere miles away.
Apple devices held for ransom at Cupertino foam party. Breaking news!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.