Apple iOS ransomware mystery deepens – “Oleg Pliss” pops up in LA

We still can’t tell you how the “Oleg Pliss” hack works.

That’s the curious message that popped up on Apple iOS devices in Australia earlier this week.

Victims were woken up in the early hours by a beeping phone displaying the sort of message that doesn’t exactly brighten your day at 4am:

Device hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 50$...

The attack wasn’t really an “infection” or an “outbreak,” because it didn’t seem to involve any malware or malicious activity on the device itself.

Instead, it looks as though the crooks have somehow got hold of the victims’ Apple ID credentials (or figured out a way into their Apple accounts without the credentials), and simply used the Find My iPhone feature in a back-to-front way.

Telling Apple’s cloud servers that your phone is lost is supposed to lock it up until you get it back and can unlock it in the safety of your own loving embrace.

That way, the phone is useless while any crook has it in his or her possession.

But in this case, the crooks lock your phone while you still have it in your possession, and offer to sell you back access to it.

It’s a bit like coming back to your bicycle (you always wonder, “Will it still be there?”) and gleefully noticing it hasn’t been stolen.

Then you find that some sleazebag has D-locked it to the lamppost and left a note saying, “Lock for sale, $100. Free key with every purchase. Call me.”

Swapping one mystery for another

So far, we’ve only been able to speculate (with our readers’ help) on how this iOS extortion was carried out.

The most likely-sounding explanations (e.g. passwords re-used from another breach, or credentials acquired through phishing) are confounded by the apparently tight regional distribution of the first victims, who were almost all in Australia.

For example, let’s imagine that every single victim re-used their Apple password on some other site.

For that to explain the Oleg Pliss attack, we now have to find a site common to all victims that:

  • Sells a service that only Aussies would buy.
  • Stores passwords insecurely so that even strong passwords can be recovered.
  • Suffered a breach that has, until now, escaped everyone’s notice.

In short, we just swapped one mystery for another.

Blame it on an app

Some readers have wondered if the attack might be down to an insecure iOS app that only Aussies would use (many apps are geo-locked, especially if they give access to copyrighted content licensed for a single region, such as videos).

By means of this hypothetical app, the crooks might have been able to siphon off Apple credentials.

After all, a recent study of online banking apps showed that 40% of them didn’t bother to validate HTTPS security certificates, meaning that a crook who could redirect your web traffic could feed you fake “secure” sites without any alarm bells ringing.

And we’ve regularly written about insecurities in home routers that could allow crooks to take over your household’s internet gateway and thereby redirect your web traffic.

The mystery deepens

Well, the mystery just got more mysterious.

The first reports are in from victims who have no connection to Australia.

This time, it’s Southern California, with residents of the Greater Los Angeles Area being confronted by the enigmatic Oleg Pliss.

We don’t have any details on exactly what Angelenos are seeing when Mr Pliss comes calling.

In the Australian flavour, we’ve seen a screenshot demanding $50 in MoneyPak vouchers (see image above) to be sent by email to one address, and read of a demand for $100 to be sent to a different address using PayPal.

Apparently, the PayPal address has never existed, so you couldn’t pay over the $100 even if you wanted to.

We’ve not heard of anyone who tried emailing a MoneyPak voucher to the other email address (and we don’t recommend trying it!), so we don’t know whether anyone’s collecting money via that path.

What to do

What we do know is that if you do get the dreaded message from Oleg Pliss, there’s no need to panic.

If you your device is registered at work with some kind of corporate mobile device management product (such as Sophos Mobile Control), you may be able to unlock it independently of Apple’s locking mechanism.

That means you can cut out the crooks without doing a recovery reset and losing all your data.

If not, then if you haven’t backed up your phone, you might at worst lose all your data, but at least your phone isn’t D-locked to that lamppost for ever.

Click to learn more about Sophos Mobile Control...