Apple mobile devices in Australia were taken captive -- or at least that’s what hackers wanted users to think. The iPhone-maker’s forum was buzzing with posts about receiving lost iPhone alerts and demands for money to unlock the devices. Users were told they had to pay anywhere from $50 to $100 via PayPal to regain access to their devices.
“I was using my iPad a short while ago, when suddenly it locked itself . . ." VerityLikestea wrote on the forum. “I went to check my phone and there was a message on the screen (it’s still there) saying that my device(s) had been hacked by ‘Oleg Pliss’ and he/she/they demanded $100 USD/EUR (sent by PayPal).”
Apple and PayPal are assuring users they are on top of the issue. In a public statement, PayPal assured users that if any money was sent its Buyer Protection program would cover them. And Apple made it clear that it takes security very seriously and iCloud was not compromised during this incident.
“Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services,” Apple said in a statement. “Any users who need additional help can contact AppleCare or visit their local Apple retail store.”
We caught up with Andrew Jaquith, CTO and Senior Vice President of Cloud Strategy at cloud security solutions provider SilverSky, to get his take on the problem. He told us, as far as he can tell, this is a garden-variety phishing attack.
“Somebody is sending phishing e-mails, supposedly from Apple, that is causing naive customers to disclose their iCloud credentials,” Jaquith said. “The attacker is then probably logging into iCloud and turning on Lost Mode with a custom ‘Lock Message’ that contains the ransom note.”
As he sees the iCloud scam, it’s not a big deal. Customers just need to pick stronger and longer passwords. That’s the running theme from security experts these days. Industry watchers echoed those thoughts in the eBay hack, the Spotify breach, the Target compromise and a laundry list of other attacks this year -- and in years past.
“There could be more to it than this, but I don’t think so. The bigger lesson here is that as consumers rely more and more on cloud services to manage their devices, automate their homes and consolidate their entertainment, thieves will increasingly target these services,” he said. “Apple, for example, states that it has over 800 million active iTunes accounts. Only a fraction of that number seems to have been affected by this campaign, less than one-thousandth of 1 percent. A problem to be sure, but hardly an epidemic.”
The Same Old Story
We also asked Grace Zeng, a security researcher at SilverSky, to chime in on the Apple iCloud drama. She told us it looks like the victims’ iCloud credentials were compromised. And she rightly pointed out what other security researchers have warned against: Many users tend to use the same credentials across multiple sites.
“As iCloud and Apple IDs have to be registered e-mail addresses, chances are good that some passwords are the same as their e-mail accounts. It could be the case that one’s e-mail address and password was leaked as a result of phishing e-mails or recent retailer data breaches, and attackers were able to use this same credential to log on to iCloud,” she said.
“I think users should avoid reusing online credentials in the first place. For those who do and are already victims of account compromises and data breaches, they should not only change the password of the affected account but all others as well," she added.