Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

No “Silver” Lining in iCloud – Not Even for the Cybercriminals Who Locked Out Users Till a Ransom Was Paid.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

This has to be one of the strangest cybercrimes you’ll ever run across. Or perhaps it’s one of the dumbest. Or maybe both.

Some Apple users – primarily in Australia, but also in New Zealand, the UK and U.S. – found themselves locked out of their iCloud accounts unless they paid a $100 (USD) ransom via PayPal.

The only problem was PayPal said no PayPal address is linked to the email address referenced in the scam! In other words, the bad guys apparently got nothing for their efforts. Of course, they might have ripped off personal information that users kept in iCloud. But how bright would that have been? Tipping off users they had gained access to the users’ personal information?

Chris Griffith, senior technology journalist, describes all that’s known about the attack in his piece on The following has been edited to fit our format. You can find the complete article by clicking on this link.

The breach, first reported extensively on Apple community blogs, primarily targets Australian users. “I was using my iPad a short while ago when suddenly it locked itself,” one Melbourne user reported.

“I went to check my phone and there was a message on the screen (it’s still there) saying that my device(s) had been hacked”.

“He/she/they demanded $100 USD/EUR (sent by PayPal to lock404(at) to return them to me.”

If hackers locked phones and iPads by remotely logging into iCloud accounts, they would also have access to users contacts, calendars and email stored with the same iCloud account.

The website is urging affected users not to pay the ransom. Instead they should change their iCloud password, and switch off Lost Mode via iCloud. The site also has recommended that all iCloud users, including those who are unaffected, also change their passwords.

PayPal meanwhile has issued a statement saying they will refund any cash sent to the hackers. “PayPal can assure customers that no PayPal account is linked to the email address referenced in the reported scam,” PayPal said.

“Further, if any PayPal customers have sent money via PayPal in relation to this matter their money will be refunded. This is consistent with PayPal’s policies to protect consumers against fraud.”

Users have reported becoming aware of the malware when accessing Find My iPhone on their iPhone and iPad. “I have gone into iCloud and when I used the ‘find my iPhone’ feature I did indeed see the message and that both the devices were locked,” a user said.

Users say they have remained locked out on devices that are not protected with passcodes. It is understood that malware on iPhones and iPads with existing passcodes can be deactivated by entering the passcode, which renders the device found in ‘Find My iPhone”.

Users without passcodes can either restore their phone to factory settings and use a backup, or visit their local Apple store for help.

Apple is not commenting on the origin of the breach, except to say the iCloud’s own security has not been breached. “Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store,” Apple said in a statement.

If true, that would leave a phishing attack and identity theft as likely causes.

Users have been encouraged over time not to use the same login credentials for different online services. Two-factor authentication and using Apple’s touch-id fingerprint recognition on the iPhone 5S are other ways to bump-up security.

By ThreatMetrix Posted