iCloud Hack Takes Out Apple Devices in Australia and New Zealand

Some Australians and New Zealanders who own iPads and iPhones received a rude awakening from an online attacker. When they powered up their iOS devices, their home screens were locked on a nefarious message. “Device hacked by Oleg Pliss,” says the message. “For unlock device YOU NEED send voucher code  by $50 one of this (Moneypack/Ukash/ PaySafeCard) to _____ for unlock.”

In most cases, Mr. Pliss asked for US$50 or €50. In other cases, he got more greedy, demanding US$100 or €100 via PayPal. Although it looks like ransomware to the user, security analysts discovered that no one’s iPad or iPhone actually had malware on it. The mysterious Oleg Pliss had actually taken control of the users’ iCloud accounts.

Hijacking iCloud

iCloud is the hub that connects an Apple user’s devices. Macs, iPods, iPhones and iPads upload files to iCloud, and those files are pushed to other devices. It’s the reason that something downloaded to iTunes on an iPhone also appears on the user’s Mac without requiring USB sync.  It’s also the tool that lets iPhone and iPad users locate their devices remotely or wipe them if they’re lost or stolen.

Oleg Pliss didn’t develop malware, which could have been easily detected and erased by antivirus for Mac software. He hijacked Aussie and Kiwi iCloud accounts by somehow obtaining login credentials. Security researchers have several hypotheses for how attackers stole the information:

• Recent data breaches. Some researchers wonder whether Oleg Pliss used data from a recent breach, like the eBay breach, to hack into people’s iCloud accounts. In many cases, people use a single password for all of their accounts, or they use just a handful of passwords for multiple accounts.
• Man-in-the-middle attacks. Some experts suggest that an iTunes or iCloud bug could have rerouted devices to a fake iCloud login site. When users logged into the fake site, attackers gained access to their passwords. Another hypothesis is that attackers rerouted ISP traffic within a vulnerable Australian network. iCloud users had no idea that they were visiting malicious servers.
• “Joe Job” attack. A Joe Job attack is the online equivalent of writing “For a good time, call ____” in a bathroom stall and scribbling in the number of someone the graffiti artist doesn’t like. In other words, someone could have posted someone else’s iCloud login credentials as an act of retribution against the account holders.

What to Do

So far, experts have no idea how Oleg Pliss obtained iCloud login information. However, they do have some suggestions about how users can keep their iCloud login information safe.

• Enable two-factor authentication (2FA). iCloud users should set up 2FA with their Apple ID, which won’t allow them to login to iCloud and other Apple services without entering a second login code. Users can receive codes via text message, or they can get codes on any iOS device.
• Backup all iOS devices. Anyone who owns an iPod, iPad or iPhone should save a backup copy on either their Mac or an external hard drive. If they find their devices locked or remotely wiped, they can perform a recovery mode reset of their iOS devices and recover the backup copy using iTunes.
• Change all duplicate passwords. Apple users should change all passwords so that they avoid using the same password on more than one account. A password manager can generate random passwords, which contain tough-to-crack combinations of numbers, letters and symbols. Then, password managers store the passwords and auto-fill them into different login fields with a single click.

A Tempting Target

The Australian and New Zealand iCloud attacks aren’t the only known hacks of iCloud accounts. The Russian Interior Ministry also recently reported that it had seized computers, SIM cards and phones used by a pair of Russian hackers. The hackers had obtained iCloud credentials using phishing emails directed at Apple users. They had also created new Apple accounts locked to victims’ iOS devices. Once they had created the new accounts, they sold the Apple credentials so that buyers could obtain apps, music and other assets stored in iCloud by the person who owned the device.

As Apple devices become more popular, attackers will look for more ways to disrupt their operations. Antivirus programs and smart device management techniques, in most cases, should help Apple users protect their accounts.