In what can be called a series of rather unusual crimes, 2014 saw Australian iPhone users victimized. They found their iPhones locked remotely and literally held at ransom. Users who did pay the ransom were threatened with a complete wipe out of the data from their iPhones.
A nearly identical series of incidents has started to occur with users located in the United States and Europe. Whether the perpetrators are the same as the 2014 occurrence or not is difficult to be certain at this point.
Find My iPhone
During the 2014 occurrences, it was found out that the iPhones were being remotely locked. This was accomplished using the Find My iPhone service. This was enabled due to the Apple security breach which resulted in Apple IDs and passwords being posted online. This information was made available via a third party as opposed to a hack on the Apple iCloud servers. This meant that the sufficient credentials were present for the attackers to remotely lock devices and wipe the data clean unless the owners paid the said ransom.
This similar attack may be attributed to the recent security breach of the Mac-Forums.com database which is possibly affecting iCloud log-in credentials.
CSO security blog Salted Hash has recently put together the pieces of the puzzle and discerned a detailed outline of the process the attackers are using to successfully see their plan come to fruition.
Using the leaked credentials of the Apple ID, the attacker uses the Find My iPhone service to mark the victim’s device as lost. This places the iPhone into lost mode. From there on, they can successfully lock the device and post a message to the home screen. Also triggering a sound effect to draw attention to it.
For cases reported publicly, the ransom is usually between 30$ to 50$. As soon as the victims contact the referenced email address, they are given the payment instructions. The victims have a period of 12 hours to comply lest they want their data to be wiped.
Users, especially those who suspect their sensitive information was released in breach, are advised to ensure they have changed their login passwords. They should possibly ensure the two-step verification as an extra measure of safety.