Ransom attack targeting Apple products - change your Apple ID password: SSO Alert Priority High
27 May 2014
Apple device and Mac users should be aware that they may be targeted by hackers who lock you out of your device before demanding payment of a ransom.
In recent hours, a number of Australian Apple users have reported the ransom attack targeting their devices.
The information available is limited and may be updated as more information emerges.
With the possibility that this attack is linked to your ‘Apple ID’, affected users are advised to change your Apple ID password as soon as possible.
Users not affected may also consider changing their Apple ID password as a precaution.
Your Apple ID is your username for everything you do with Apple. It is used for identifying you as a user for most Apple products including iTunes, all your Apple devices, iCloud, the Apple Store and others.
At present many users are reporting that their phones or systems lock unexpectedly, they receive an email from ‘Find My iPhone’ and a message on their screen stating that their device has been, ‘Hacked by Oleg Pliss’. The message said that to unlock their device they should pay a ransom via PayPal, emailing the payment code to lock404[at]hotmail.com.
Currently there is only speculation about how the attacks have been carried out. Apple has not yet responded officially.
Reports by affected users suggest that this attack is possibly the result of hackers compromising the device owner’s Apple ID and using this to access their iCloud account. From their iCloud account a hacker can activate the device’s ‘Lost Mode’ and possibly reset the phone’s access code.
It is not confirmed if or how these Apple IDs and passwords were accessed, but suggestions include that hackers may be simply reusing information they may have discovered during a breach of other online services. Unfortunately, many people still commonly reuse the same password for many of their online accounts.
A hacker with access to your Apple ID can potentially lock any device associated with it remotely, they can see data you have stored in iCloud, access your Apple Store purchases and potentially set up two-step verification (also known as two-factor authentication) on your device, locking you out of your phone completely, or even remotely erase your device.
It is reported that affected users did not previously have two-step verification enabled on their devices.
Initial information also suggests that users who already have a passcode set on their device are still able to unlock it, but any users who do not have a passcode set may now encounter a lock code set by the hacker.
What can you do?
Do not pay the ransom.
Change your password for your Apple ID. You can use your Apple ID to recover your device(s) if it has been locked by the hacker.
If the hacker has set a new passcode lock on your device, you may be able to bypass this by using one of the methods suggested by Apple, however you should note these involve either erasing, resetting, or restoring your device from back up (if you have one).
Set up two-step verification for your Apple ID. Turning on two-step verification reduces the possibility of someone accessing or making unauthorised changes to your account information. Two-step verification requires both your password and a separate verification code sent to your phone (or other trusted device) in order to log in.
Affected users should contact Apple directly for more information. Apple has been able to help affected users recover their devices.
More specific advice may be provided by Apple shortly.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.