iPhones, iPads, and Macs Hacked and Hijacked for Ransom in Australia

Today Apple device users Down Under are dealing with a serious hacking issue that looks to be tied to iCloud, Find my iPhone, and password reuse. A number of Australian and New Zealand iPhone, iPad, and Mac users are reporting that they were awakened by or noticed an alert from Find My iPhone that delivered a message saying, “Device Hacked by Olig Pliss” and offering to unlock the device after a ransom payment of either a $50 or $100 payment to an anonymous PayPal account. The Sydney Morning Herald is reporting the story and an Apple Support Forum Thread has a number of users reporting the issue.

Users who have set a passcode on their device or have Touch ID enabled have been able to bypass the hack but those who did not set a passcode are not. Apparently the hackers are using Find My iPhone to change passcode settings via iCloud on devices without a passcode already set up. In order to change a passcode on a device with a passcode already set up you need physical access to the device to make the change.

Users who have not set up a passcode can regain control of their iOS device by following these instructions from Apple for a forgotten passcode or disabled device.

If you are a multiple Apple device user and have ever made a change to an Apple device you are no doubt familiar with the messages that populate across your devices simultaneously telling you that a change has been made. Imagine receiving warnings announcing that all of your devices were being held for ransom.

The pseudonym “Olig Pliss” has confused some given that there is a real Oleg Pliss who is a noted software engineer for Oracle. That will undoubtedly be another part of this story going forward. Australian carriers including Vodafone, Optus, and Telstra are directing victims to Apple Support regarding the issue, but as yet there is no comment from Apple. PayPal has stated that there was no PayPal account linked to the email that was used in the ransom notices.

The early thinking on this attack is that the hackers are using data that may have been gleaned from other security attacks that yielded passwords from users who don’t set up individual passwords for different accounts. Far too many Internet users stick with the same password across multiple online services. If a password is compromised in a breach on one service and not changed, other accounts become vulnerable.

Consumers and businesses are becoming unfortunately accustomed to the hassles of changing passwords these days with announcements of cyber attacks and hacking seeming to increase in frequency. While mobile devices promise a degree of convenience for everyday web chores while on the go, that convenience must be balanced with the inconvenience of maintaining security for devices and services.

It is important to always practice safe password management when engaging with any Internet transaction. Recommended tips include:

1. Use a different password for each website or service.
2. Create a password that isn’t easy to guess. Don’t use discoverable information like your childrens’ names, anniversary dates, etc.. Use a combination of letters, numbers, and other characters to create a unique password.
3. Use a password manager. Password storage and creation software such as 1Password, LastPass, RoboForm, Keeper, and Dashlane among others offer you the ability to create and store unique passwords that you can access through one master password or automatic logins. But remember you need to create a master password that is not easily discoverable as well.  Browsers also offer the ability to save and store passwords for easy retrieval. But keep in mind, good security and convenience do not go hand in hand.
4. If you must store your passwords somewhere other than a digital locker, find a location that is not easily discovered. Carrying your passwords around in an address book can easily compromise your security should you misplace it.
5. Use two step authentication. Offered by some services and websites two step or two factor authentication creates a second layer of protection by requiring you to authenticate your account not only from a website, but also from a smartphone. Instructions for setting up two step authentication for iCloud can be found here.
6. Users should routinely change passwords for websites and services that they use. Don’t wait for a security scare or warning. Think of creating a regular time to change your passwords in the same way you change batteries in smoke alarms.
7. You are responsible for your own online security. Don’t trust any site or service absolutely.