Let’s say you are the owner of one of the i-products: iPhone, iPad, or iPod (touch). There are Apple MDM products designed to secure these devices. Likewise, Macintoshes can be secured using Apple’s File Vault 2, a disk encryption software that comes free with every Mac sold in the last two years.
You’re feeling secure, right? Except that a bunch of Aussies woke up to find that this was not the case.
Ransomware Using Apple’s Own Resources
The big news in the Land Down Under is that some guy going by the name of “Oleg Pliss” was asking for $100 USD/EUR to unlock i-devices that were hijacked. The very likely method was via Apple’s iCloud, which allows the control of the “Find my iPhone” feature for tracking and disabling devices. Apple immediately responded to the news that they were not hacked, that they did not suffer a data breach.
The current consensus is that hackers managed to take information from another site’s data breach and use it to their advantage with Apple’s website. This is why you shouldn’t be using the same passwords everywhere. It’s also the reason why so many hacked websites suggest resetting passwords for any and all other websites you access.
Interestingly enough, the breach appears to be limited to Australia despite the ransom being for US dollars or Euros (if you’re paying, pay in dollars because 100 Euro is $136. Why overpay?). What does it all mean?
It could mean that the hacker in question was unaware that his database of potential victims was limited to Australians only. Or, this could be a preliminary stage before the hijacking goes worldwide (Australia pop.: 23 million. USA pop.: 318 million. Europe pop.: 740 million).
Or, it could be the world’s worst joke. Bear with me here. When you think about it, the operation was not carried out very professionally. Most people were able to regain control of their phones without paying anything. Those who did pay were promised a refund by PayPal, the account of choice by our anonymous hacker. As most people who’ve dealt in the underground economy know (as well as eBay enthusiasts), PayPal has this unacknowledged policy of reversing charges if the money sender complains about a transaction. Even if this were a dry run for bigger things to come, you’d at least make sure to use a payment account where money you received remains securely under your control. So, again, the thing wasn’t executed very well if the objective was to gain some coin, either today or sometime down the road.
On the other hand, if this were done as a lark or on a dare…then, yeah, I can see how you’d just coast over the small details that makes or breaks an online heist.