This morning, a number of Australian iPad and iPhone users woke up to a strange sight.
A message, saying something like this:
Device hacked by Oleg Pliss. For unlock device...
..was visible on the screen.
It’s ransomware, but not as we know it.
As far as we can tell, the affected devices aren’t infected with malware; instead, it looks as though the attackers have somehow got hold of the victims’ iCloud login credentials and locked their devices remotely.
The demands seem to be localised to Australia, or at least to Australian users, with some reports from New Zealand.
So far, so bad.
The problem with cloud-based attacks, as this seems to be, is that it can be hard to work out who has done what, or how to stop them (and, better, how to identify and prosecute them).
Postings on one Australian discussion forum are alive with speculation, but that’s all we have so far.
• Could it be a side-effect of the recent eBay hack?
After Adobe’s 2013 hack, many passwords were recovered from the stolen database, even though it was encrypted.
This was in part due to Adobe’s incompetence in how it secured the data, and in part due to poor password choice by users.
Other online services, such as Facebook, took the precaution of testing out passwords revealed by the Adobe breach against their own users.
The results were as expected: many people had used the same, easily guessed, password on multiple sites.
But the password data stolen from eBay doesn’t seem to have surfaced anywhere yet (the stolen Adobe data was made publicly available as part of the hack).
Also, there are reports of users who don’t have eBay accounts getting the “Oleg Pliss” message.
• Could it be a Man in the Middle (MitM) attack caused by an Apple software bug?
Some commenters on the Whirlpool forum suggest a security weakness in iTunes or iCloud, allowing hackers to trick vulnerable devices into visiting a fake login site, where Apple usernames and passwords could have been harvested.
But the iTunes security holes referenced as part of this explanation were fixed over a year ago, meaning that all affected devices would be running a long-superseded version of iOS.
No such attack pattern has been reported.
• Could it be MitM caused by a hack against an Australian ISP?
Perhaps the apparent localisation of the ransom pop-up is because it’s a Man in the Middle attack that relies on re-routing traffic inside a vulnerable ISP in Australia?
That might explain how iCloud logins could be hijacked in only one part of the world, and why even well-informed users might not realise they were visiting the wrong servers.
But there doesn’t seem to be any ISP-specific pattern amongst the victims, and at least one reported victim was an Australian user currently in London, England, connecting via an ISP in the UK.
• Could it be down to jailbreaking?
Australia was famously the site of the world’s first true in-the-wild virus (self-replicating malware) for iPhones.
The virus, known as Ikee and written by a youngster from Wollongong, New South Wales, was limited to jailbroken devices, which kept its prevalence down.
Perhaps something like that happened again?
But not all victims have jailbroken devices.
• Could a breach against an Australian online service have coughed up passwords that victims re-used elsewhere?
If the service were one that people outside Australia would be unlikely to use (e.g. because it was tied to a product only available in Australia), this is a possible explanation.
We’re inclined to consider this the most likely reason we’ve seen so far, but it relies on all victims being the sort of people who re-used passwords.
→ If you are, or know, a victim who has always used a password manager (this sort of software automatically creates a different weird-and-wonderful password for each account), we’d love to know. That would seem to rule out this explanation, too.
• Could it be a hoax?
What if the messages are just spams simply asking for $50, or $100, but nothing is locked or ransomed at all?
But victims are reporting having been locked out, and to have received emails from Apple’s lost iDevice service to say that someone has reported their iDevice as lost.
• Could it be a hole in the “report my iDevice locked” service?
Some commenters are referring to a recent story about Dutch-Moroccan hackers calling themselves Doulci (an anagram of iCloud) who claim to be able to unlock frozen iDevices using some sort of MitM attack.
That’s plausible, if Doulci’s claims are true, but the “Oleg Pliss” attack involves locking your device against your will, rather than unlocking a frozen device against Apple’s will.
Also, the Doulci hack doesn’t explain why all the victims seem to have a Australian connection.
• Could it be a Joe Job against someone called Oleg Pliss?
A “Joe Job” is the online equivalent of putting up a message in a telephone booth with an irresitible offer, giving the number of someone you don’t like. (The episode that gave this sort attack its name was carried out using spam with the sender spoofed in the name of a victim called Joe Doll.)
But if so, it’s an astonishingly subtle Joe Job, because it doesn’t identify the actual “Joe” against whom the victims are supposed to take retribution.
Also, whether it is a Joe Job or not doesn’t explain how the attack was carried out, or why only Australians were targeted.
What to do?
The bottom line is that:
- We don’t yet know how this happened.
- It smells like stolen or guessed passwords shared with some other account.
- If guess (2) is correct, choosing a different, non-trivial password for each account would almost certainly have protected you.
- If guess (2) is correct, using Apple’s two step verification would almost certainly have protected you.
Honan didn’t get the chance to pay $50 to get his data back: the crook or crooks decided to trigger a remote wipe of his devices instead.
If you have an Apple account, we suggest you look into two step verification right away.
If you’d like to know more about 2FA, and what it can do for you, take a listen to our Techknow podcast:
Have you been hit?
If you’ve seen the “Oleg Pliss” message, you can recover without paying the ransom.
→ We urge you not to pay, or even to negotiate to pay. Indeed, it seems that paying probably won’t work anyway, with Aussie journalist Ben Grubb reporting on Twitter that, for at least one of the email addresses used in the scam, there is no assoicated PayPal account.
At worst, you will need to do a “recovery mode” reset of your device, which will remove all your apps and data.
If you have a recent backup, you can then recover it using iTunes.
By the way, if you were hit, we’re interested in hearing from you. (If you have screenshots, we’ve love to see them!)
You can leave a comment below, or email firstname.lastname@example.org – we won’t use your name unless you [a] tell us what it is and [b] give us permission.