Apple users hit by $100 ransom demand after mystery iCloud account breach

Oleg is taking the pliss

Apple iPhone, iPad and Mac users in Australia and New Zealand are being pestered by mysterious ransom messages demanding up to $100 in order to 'unlock' their devices. A hack of some iCloud user accounts is suspected.

If the baffled and worried messages on Apple's local support forum are any guide, this is not a ransom attack in the mould of the Windows Cryptolocker Trojan that actually encrypts files or makes the device difficult to use, and looks like a social engineering attack manipulating the 'Find your phone' device lock feature in Apple's iCloud.

"I was using my iPad a short while ago when suddenly it locked itself,...I went to check my phone and there was a message on the screen (it's still there) saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded $100 USD/EUR (sent by paypal to lock404(at) to return them to me," wrote the first user to complain of the attack.

Several dozen other users later reported identical demands as well as being locked out of their devices. Needless to say, there is no evidence that the 'Oleg Pliss' mentioned in the demand is related to any known person of that name.

On an Android device or a PC, suspicion would fall pretty quickly on a rogue app downloaded from the Play store but the evidence strongly suggests that a compromise of some Apple iCloud accounts has occurred.

All the victims appear to be in Australia and New Zealand while others report that more than one Apple device - including possibly Apple Mac laptops - are simultaneously affected by the attack. Other users mention receiving 'Find your phone' emails from their iCloud service.

Almost certainly, hackers have broekn into some iCloud accounts, setting the remote lock feature used in normal times when a smartphone or iPad is lost or stolen. Users can reset this as long as they can access their iCloud accounts.

Users on Australia and New Zealand should therefore change their account passwords immediately, For anyone who finds themselves locked out of their account, a call to Apple will be the only option.

Beyond nuisance value and the possibility that a few nave souls will pay the ransom demanded to the hacker's PayPal account what is at risk here? In principle, a hacker with access to the iCloud has access to all files saved there including images and notes. That means some could be at risk of losing personal data or having it wiped as part of the reset process.

Attention will turn at some point to how the compromise happened. Theories abound on this but the most probably explanation is either that the hackers have got access to email addresses or user account names and then guessed weak passwords or accessed a database of a reseller or Apple partner.

"While it's not clear how the attacker gained account credentials for the accounts, given the localized nature of the attacks it's likely that this is a case of password reuse as opposed to Apple servers being compromised," agreed Michael Sutton, vp of research at security firm, Zscaler.

"It is likely that a third party database was compromised and authentication credentials stolen that are the same credentials used by the owners of the affected iOS devices. Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought," he said.

Sister title Computerworld has published more detailed advice on coping with the attack.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechApplesecurity

More about ApplePayPalzScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place