Apple iOS ransomware mystery deepens - "Oleg Pliss" pops up in LA

Filed Under: Apple, Data loss, Denial of Service, Featured, iOS

We still can't tell you how the "Oleg Pliss" hack works.

That's the curious message that popped up on Apple iOS devices in Australia earlier this week.

Victims were woken up in the early hours by a beeping phone displaying the sort of message that doesn't exactly brighten your day at 4am:

Device hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 50$...

The attack wasn't really an "infection" or an "outbreak," because it didn't seem to involve any malware or malicious activity on the device itself.

Instead, it looks as though the crooks have somehow got hold of the victims' Apple ID credentials (or figured out a way into their Apple accounts without the credentials), and simply used the Find My iPhone feature in a back-to-front way.

Telling Apple's cloud servers that your phone is lost is supposed to lock it up until you get it back and can unlock it in the safety of your own loving embrace.

That way, the phone is useless while any crook has it in his or her possession.

But in this case, the crooks lock your phone while you still have it in your possession, and offer to sell you back access to it.

It's a bit like coming back to your bicycle (you always wonder, "Will it still be there?") and gleefully noticing it hasn't been stolen.

Then you find that some sleazebag has D-locked it to the lamppost and left a note saying, "Lock for sale, $100. Free key with every purchase. Call me."

Swapping one mystery for another

So far, we've only been able to speculate (with our readers' help) on how this iOS extortion was carried out.

The most likely-sounding explanations (e.g. passwords re-used from another breach, or credentials acquired through phishing) are confounded by the apparently tight regional distribution of the first victims, who were almost all in Australia.

For example, let's imagine that every single victim re-used their Apple password on some other site.

For that to explain the Oleg Pliss attack, we now have to find a site common to all victims that:

  • Sells a service that only Aussies would buy.
  • Stores passwords insecurely so that even strong passwords can be recovered.
  • Suffered a breach that has, until now, escaped everyone's notice.

In short, we just swapped one mystery for another.

Blame it on an app

Some readers have wondered if the attack might be down to an insecure iOS app that only Aussies would use (many apps are geo-locked, especially if they give access to copyrighted content licensed for a single region, such as videos).

By means of this hypothetical app, the crooks might have been able to siphon off Apple credentials.

After all, a recent study of online banking apps showed that 40% of them didn't bother to validate HTTPS security certificates, meaning that a crook who could redirect your web traffic could feed you fake "secure" sites without any alarm bells ringing.

And we've regularly written about insecurities in home routers that could allow crooks to take over your household's internet gateway and thereby redirect your web traffic.

The mystery deepens

Well, the mystery just got more mysterious.

The first reports are in from victims who have no connection to Australia.

This time, it's Southern California, with residents of the Greater Los Angeles Area being confronted by the enigmatic Oleg Pliss.

We don't have any details on exactly what Angelenos are seeing when Mr Pliss comes calling.

In the Australian flavour, we've seen a screenshot demanding $50 in MoneyPak vouchers (see image above) to be sent by email to one address, and read of a demand for $100 to be sent to a different address using PayPal.

Apparently, the PayPal address has never existed, so you couldn't pay over the $100 even if you wanted to.

We've not heard of anyone who tried emailing a MoneyPak voucher to the other email address (and we don't recommend trying it!), so we don't know whether anyone's collecting money via that path.

What to do

What we do know is that if you do get the dreaded message from Oleg Pliss, there's no need to panic.

If you your device is registered at work with some kind of corporate mobile device management product (such as Sophos Mobile Control), you may be able to unlock it independently of Apple's locking mechanism.

That means you can cut out the crooks without doing a recovery reset and losing all your data.

If not, then if you haven't backed up your phone, you might at worst lose all your data, but at least your phone isn't D-locked to that lamppost for ever.

Click to learn more about Sophos Mobile Control...

, , , , , ,

You might like

6 Responses to Apple iOS ransomware mystery deepens - "Oleg Pliss" pops up in LA

  1. Howard Gordon · 63 days ago

    I believe that your assumption is correct. Back in November '13, Brian Krebs (krebsonsecurity.com) posted this article: http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/

    • Paul Ducklin · 63 days ago

      I'm not convinced that Cupid Media's breach fits the bill - not least because there are only about 25m people in Australia, adults and children included. If we quite reasonably assume that a minority of them were Cupid Media customers, that means at least 30m of those Cupid Media passwords belonged to non-Aussies. So it definitely doesn't satisfy the criterion of "a service used only by Aussies."

  2. Joe · 63 days ago

    An easy fix for this is to modify the tracking software to compare the phone's location with the address at which the phone actually is. If it turns out that the reference address matches the phone's location, there should be an option to unlock when an email is sent to the user's alternate email address.

    • Anonymous · 62 days ago

      So if the phone is at it's actual location it should be unlocked by e-mail?

  3. Don't worry about your bike either there are ways to defeat a D-Lock without paying $100. No one will report you to the police either.

    http://www.nytimes.com/2012/03/13/opinion/bike-thief.html?_r=0

  4. Blocked · 62 days ago

    Typo: “If you your device is registered...”, second paragraph in the “What to do” section.

    Has anyone else noticed that the letters in Oleg Pliss can be rearranged to spell Ol’ Piss Leg. It suggests that the suspect might be afflicted with the tragedy and heartbreak of urinary incontinence. I’d say check the recent urology clinic admissions Down Under for anyone who can’t keep his pants dry.

    But seriously, do we know yet whether this attack is confined to iOS, or does it extend to OS X as well? The linked CBS-Los Angeles article states “...a hacker is targeting and locking iPad, iPhone and other Mac devices...” What other “Mac devices”? Is the author assuming that “Mac” and “Apple” are synonymous?

    BTW, Victorville is in Southern California, but it’s more than a bit of a stretch to call it Los Angeles. They’re separated by about 84 miles and one mountain range. Nevertheless, now that the iPhone D-lock has shown up here in the Southland, judging by the number of iOS devices hereabouts, it won’t be long before Ol’ Piss Leg makes it all the way to Malibu.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog