Apple Users Fend Off Ransom Attacks Against iPhones & Macs

Hack leverages Find My iPhone feature and potential iCloud account compromise to hold devices hostage.

Dark Reading logo in a gray background | Dark Reading

Owners of Mac and iOS devices have found their iPhones and iPads held for ransom through a hack that targets the Find My iPhone and Find My Mac features on these devices to trigger a remote lock of the device.

The Find My iPhone feature is meant to allow users to track missing devices on a map, remotely lock the phone in the event that the device is lost or stolen and display a message so that those who find it will see that custom message. First surfacing in numerous reports in Australia yesterday, this attack claims through the custom message to be perpetrated by an Oleg Pliss, likely a pseudonym given that the most visible person by that name is a software engineer at Oracle. The malicious hacker responsible asks through the displayed message for users to pay $100 through PayPal for the privilege of unlocking their phones.

While early reports showed mostly users in Australia and the UK affected by the ransom attempt, continued posts streaming in through Apple support forums show that US and Canadian users are waking to find their devices held hostage as well. Online scuttlebutt shows that numerous users have been hit by the ransom attack on several of their devices at once and some have been hit more than one on the same device, indicating that the attackers likely broke into the devices through users' iCloud accounts.

It's currently unclear as to how the attacker gained access into these iCloud accounts, and Apple has yet to respond to requests from Dark Reading for commentary on the matter.

"Given the localized nature of the attacks, it's likely that this is a case of password reuse as opposed to Apple servers being compromised," says Michael Sutton, vice president of security research at Zscaler. "It is likely that a third-party database was compromised and authentication credentials stolen that are the same credentials used by the owners of the affected iOS devices."

Apple forum users speculated early on that the hack could have ties to the recent eBay breach of username and passwords, but a number of cases surfacing of users hit who have no eBay accounts makes that an unlikely prospect. At the moment, primarily users who had not set a device passcode are affected by the hack. Those who have been affected report that the best workaround to the situation is to reset and erase the device using recovery mode and restore it via an iTunes backup.

[10 percent of smartphone loss and theft victims lose confidential business information with their stolen devices. Read more in 1 in 10 Smartphone Users Victims of Theft]

"Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought," Sutton says.

While this hack is a slight variation on the most usual ransomware scares, it does bring new awareness to existing security pundit warnings that mobile platforms will increasingly be the target of hacking hostage schemes in the near future. For example, this month stirred renewed interest in CryptoLocker ransomware, which made the jump to Android devices.

"We will continue to see an increase in mobile ransomware attacks until users improve their security procedures -- especially as more and more is done on mobile devices," says Fabian Franco, lead incident responder at Foreground Security, explaining that today's mobile hygiene practices are so bad that users remain open to simple script kiddie attacks. " Users must begin using two-factor authentication as well as complex passwords consisting of upper and lower case letters, numbers and special characters.”

Additionally, given mobile device reliance on cloud engines to run their services, hacks like these that are more closely aligned to server-side account compromise rather than device-side compromise will challenge IT to find better ways to protect corporate devices.

"I do want to point out that none of the iPhone AV or MDM solutions protect against this attack," says Tal Klein, vice president of strategy and marketing at Adallom.

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights