No “Silver” Lining in iCloud – Not Even for the Cybercriminals Who Locked Out Users Till a Ransom Was Paid.

Posted on June 9th, 2014 by Dan Rampe

iCloud

This has to be one of the strangest cybercrimes you’ll ever run across. Or perhaps it’s one of the dumbest. Or maybe both.

Some Apple users – primarily in Australia, but also in New Zealand, the UK and U.S. – found themselves locked out of their iCloud accounts unless they paid a $100 (USD) ransom via PayPal.

The only problem was PayPal said no PayPal address is linked to the email address referenced in the scam! In other words, the bad guys apparently got nothing for their efforts. Of course, they might have ripped off personal information that users kept in iCloud. But how bright would that have been? Tipping off users they had gained access to the users’ personal information?

Chris Griffith, senior technology journalist, describes all that’s known about the attack in his piece on theaustralian.com. The following has been edited to fit our format. You can find the complete article by clicking on this link.

The breach, first reported extensively on Apple community blogs, primarily targets Australian users. “I was using my iPad a short while ago when suddenly it locked itself,” one Melbourne user reported.

“I went to check my phone and there was a message on the screen (it’s still there) saying that my device(s) had been hacked”.

“He/she/they demanded $100 USD/EUR (sent by PayPal to lock404(at)hotmail.com) to return them to me.”

If hackers locked phones and iPads by remotely logging into iCloud accounts, they would also have access to users contacts, calendars and email stored with the same iCloud account.

The website http://staysmartonline.com.au is urging affected users not to pay the ransom. Instead they should change their iCloud password, and switch off Lost Mode via iCloud. The site also has recommended that all iCloud users, including those who are unaffected, also change their passwords.

PayPal meanwhile has issued a statement saying they will refund any cash sent to the hackers. “PayPal can assure customers that no PayPal account is linked to the email address referenced in the reported scam,” PayPal said.

“Further, if any PayPal customers have sent money via PayPal in relation to this matter their money will be refunded. This is consistent with PayPal’s policies to protect consumers against fraud.”

Users have reported becoming aware of the malware when accessing Find My iPhone on their iPhone and iPad. “I have gone into iCloud and when I used the ‘find my iPhone’ feature I did indeed see the message and that both the devices were locked,” a user said.

Users say they have remained locked out on devices that are not protected with passcodes. It is understood that malware on iPhones and iPads with existing passcodes can be deactivated by entering the passcode, which renders the device found in ‘Find My iPhone”.

Users without passcodes can either restore their phone to factory settings and use a backup, or visit their local Apple store for help.

Apple is not commenting on the origin of the breach, except to say the iCloud’s own security has not been breached. “Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store,” Apple said in a statement.

If true, that would leave a phishing attack and identity theft as likely causes.

Users have been encouraged over time not to use the same login credentials for different online services. Two-factor authentication and using Apple’s touch-id fingerprint recognition on the iPhone 5S are other ways to bump-up security.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.