Apple iPhone, iPad and Mac users in Australia and New Zealand are being pestered by mysterious ransom messages demanding up to $100 in order to 'unlock' their devices. A hack of some iCloud user accounts is suspected.
If the baffled and worried messages on Apple's local support forum are any guide, this is not a ransom attack in the mould of the Windows Cryptolocker Trojan that actually encrypts files or makes the device difficult to use, and looks like a social engineering attack manipulating the 'Find your phone' device lock feature in Apple's iCloud.
"I was using my iPad a short while ago when suddenly it locked itself,...I went to check my phone and there was a message on the screen (it's still there) saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded $100 USD/EUR (sent by paypal to lock404(at)hotmail.com) to return them to me," wrote the first user to complain of the attack.
Several dozen other users later reported identical demands as well as being locked out of their devices. Needless to say, there is no evidence that the 'Oleg Pliss' mentioned in the demand is related to any known person of that name.
On an Android device or a PC, suspicion would fall pretty quickly on a rogue app downloaded from the Play store but the evidence strongly suggests that a compromise of some Apple iCloud accounts has occurred.
All the victims appear to be in Australia and New Zealand while others report that more than one Apple device - including possibly Apple Mac laptops - are simultaneously affected by the attack. Other users mention receiving 'Find your phone' emails from their iCloud service.
Almost certainly, hackers have broekn into some iCloud accounts, setting the remote lock feature used in normal times when a smartphone or iPad is lost or stolen. Users can reset this as long as they can access their iCloud accounts.
Users on Australia and New Zealand should therefore change their account passwords immediately, For anyone who finds themselves locked out of their account, a call to Apple will be the only option.
Beyond nuisance value and the possibility that a few nave souls will pay the ransom demanded to the hacker's PayPal account what is at risk here? In principle, a hacker with access to the iCloud has access to all files saved there including images and notes. That means some could be at risk of losing personal data or having it wiped as part of the reset process.
Attention will turn at some point to how the compromise happened. Theories abound on this but the most probably explanation is either that the hackers have got access to email addresses or user account names and then guessed weak passwords or accessed a database of a reseller or Apple partner.
"While it's not clear how the attacker gained account credentials for the accounts, given the localized nature of the attacks it's likely that this is a case of password reuse as opposed to Apple servers being compromised," agreed Michael Sutton, vp of research at security firm, Zscaler.
"It is likely that a third party database was compromised and authentication credentials stolen that are the same credentials used by the owners of the affected iOS devices. Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought," he said.
Sister title Computerworld has published more detailed advice on coping with the attack.