Beginning on May 26th, a number of Apple device owners with Apple ID accounts registered in Australia or New Zealand have had their devices locked remotely. Affected devices display a message claiming they have been hacked by ‘Oleg Pliss’, and demanding money be transferred into an account for the device to be unlocked.
Updated 10 June 2014: The two hackers responsible for these attacks have now been arrested in Russia. Initial news reports indicate that the hackers obtained account credentials using phishing sites (fake Apple login pages) and social engineering (tricking users into disclosing their login credentials), rather than from a password breach on a third-party site, as previously suspected.
Apple claims its systems have not been compromised, and as of this writing, the source of the breach remains a mystery. Users targeted by the attack have used a thread on Apple’s community support forum to exchange information in an attempt to isolate the source of the issue.
Although the attack appears to be widespread within Australia and New Zealand, a relatively small number of users have been impacted. One enterprise IT manager mentioned that of the hundreds of users in their organisation, only one had been affected. A very small number of users outside of Australia and New Zealand have also reported being targeted, although in some cases those users were linked to Australia (e.g. the affected device had been purchased there originally).
At this time, the most likely source of the attacks appears to be an as-yet-unidentified password breach on a third party service or website that services primarily customers in Australia and New Zealand. The attacker may have obtained passwords from such a breach and found that many of the users in question were using the same password to protect their Apple ID. It is worth noting, however, that several affected users have claimed they were using unique, strong passwords to protect their Apple IDs, and fell victim to the attack nonetheless.
Armed with a valid email address and password for an Apple ID, the attacker would have used Apple’s Find My iPhone service to put the users’ devices into Lost Mode. The attacker was also able to lock devices not protected with a passcode remotely, preventing users from unlocking them without performing a factory reset and restoring them from a backup.
To protect your Apple devices from being locked remotely
- Set a passcode lock for your device (Settings > Passcode / Touch ID & Passcode).
- Ensure the Apple ID you use for iCloud features like Find My iPhone on your device (Settings > iCloud) is protected by a strong, unique password. If you live in Australia or New Zealand, you should consider changing your password as a precaution.
- Enable two-step verification for your Apple ID. This will not prevent an attacker with your password from putting your device into Lost Mode, but it will prevent such an attacker from making changes to your account and locking you out of it (and your devices!).
- Sign up to Should I Change My Password’s Email Watchdog so we can notify you immediately if your password is leaked in an attack on another website. This scenario is the current best guess as to the source of this attack.
What to do if you have been attacked
- Do not pay the ransom.
- Change the password for your Apple ID.
- If you are unable to unlock your device, try logging into iCloud and using the web interface for Find My iPhone to switch off Lost Mode for your device.
- If your device was not protected by a passcode and has had a passcode applied to it remotely (by the attacker), you will need to follow Apple’s instructions to erase your device and restore it from a backup.
- Contact Apple Support for further assistance.
We will update this article if and when any further details come to light.
Best wishes,
Kevin Yank
Chief Technology Officer, Should I Change My Password