Apple devices held for ransom, rumors claim 40M iCloud accounts hacked

Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian.

Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts.

Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”

The message goes on to state that the alleged breach was conducted by a Russian actor, and vector “seems to be via iCloud to the ‘locate device’ feature, and is then locking the device and asking for money.”

Salted Hash reached out to Apple for comments, we’ll update this article if they respond.

Update: Sources familiar with these types of attacks, speaking on background with Salted Hash, have said the victim count of 40 million is likely way overblown. Their reasoning is sound too, because even if only a small percentage of the list were being attacked, a few hundred thousand victims within a few months would standout like a beacon. In short, there would be no way to keep such attacks under the radar.

For now, let’s assume there hasn’t been a massive iCloud data breach. If that’s the case, then how are these users being compromised?

How the attack works:

In 2014, someone (or perhaps more than one person) using the name “Oleg Pliss” held an unknown number of Australian Apple devices for ransom, demanding a payment of $100.

The Russian Interior Ministry announced in June of 2014 that two people were arrested for blocking Apple devices to extort funds. With those arrests, it was assumed the scams were finished.

But since at least February of this year, the scams have returned and the most recent cases are targeting users in Europe and the United States, but the methods used by the attackers are the same ones that were popular two years ago.

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

In each of the cases reported publicly, the ransom demanded is usually $30 to $50. If a victim contacts the referenced email address, in addition to payment instructions, they’re told they have 12 hours to comply or their data will be deleted.

Timeline:

On July 1, Alanna Coca noticed her iPad had started beeping. When she opened the cover, the lock screen had a message displaying a phrase in Russian – “Dlya polucheniya parolya, napshite na email” – followed by a Gmail address.

Roughly translated, the phrase was telling her that in order to receive a password, she’ll need to email the address displayed.

Speaking to Salted Hash, Coca explained that when she logged into iCloud, her iPad had been placed offline and she was unable to communicate with it. Apple Support eventually helped her resolve the problem, which required a factory reset.

On July 4, a woman in Kentucky asked friends on Facebook if they knew how to “disable the lost iPad feature, when you didn’t activate it, it’s no longer on your iCloud, and the ransom is in Russian?”

It’s unclear if she was able to restore her device.

In June, someone on Reddit reported their iCloud account was compromised and a ransom demand in Russian had appeared on their iPhone. Unfortunately, they didn’t have current backups, so a factory reset would erase all of their saved data.

In fact, there were a least five other incidents reported in June. All of them had the same ransom demand and required contact with one of two different Gmail accounts.

On May 14, a software tester in Sterling, VA posted a blog about his experience with the ransom demands, after his Apple ID was compromised. That same day, another victim posted a warning on Facebook, urging friends to protect their iCloud accounts because of the same situation.

Recycled Passwords:

“Luckily I didn’t have many apps loaded or lost,” Coca said in an email to Salted Hash.

“It seems to be perfectly fine now,” she added, explaining the aftermath of the incident. “I have since added 2-step authorization. I’m blaming my laziness in having the same password on several accounts (including recently-hacked LinkedIn).”

It isn’t clear if recycled passwords are to blame in the most recent ransom cases, but it wouldn’t be a stretch to assume so, as this was the suspected cause in 2014 too.

Recently, hundreds of millions of compromised usernames and passwords were published online. They come from services such as LinkedIn, iMesh, VK.com, MySpace, Badoo.com, and more. The odds that some of those leaked credentials are tied to active Apple IDs are good, and the LinkedIn list has already been tied to additional data breaches.

However, even if the leaked lists are not the source of the latest ransom demands, it’s possible that Apple IDs were compromised during Phishing attacks or a recent data breach, such as the one at Mac-Forums.com.

According to the ad, the Mac-Forums.com database (one of three databases from a single company that’s been compromised) is available for just ~$775.00. The website currently has 291,214 members.

HotScripts.com (1,000,000+ records) was also recently compromised, that database is selling for ~$1,900. These two databases could contain plenty of Apple IDs and recycled passwords.

Apple has published some advice for users who feel their Apple ID has been compromised. In addition, they encourage users to pick a unique password that is only tied to their Apple ID, as well as the usage of two-factor authentication and two-step verification.