The attack appears to work by compromising iCloud accounts associated with the disabled devices, according to an Apple support forum discussion that started Sunday morning and quickly accumulated several hundred posts.
Commandeered devices typically emit a loud tone that’s associated with a feature that helps users locate lost or stolen devices. iPhones and iPads also display the message: “Device hacked by Oleg Pliss. For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to email:email@example.com for unlock.”
In some cases—specifically, when a user hasn’t assigned a strong passcode to a locked device—it can only be unlocked by performing a factory reset, which completely wipes all previously stored data and apps.
The mass compromise is a variation on so-called ransomware scams, which initially targeted Windows PC users and earlier this month were found targeting smartphone users running Google’s Android OS.
The forum accounts provide strong evidence that victims’ Apple IDs and passwords have been compromised so that attackers can remotely lock connected devices using Apple’s Find My iPhone service.
But so far it remains unclear exactly how the attackers are compromising the iCloud accounts.
While it’s possible the hijackers used phishing attacks or hacked password databases to obtain the credentials, those explanations are undermined by the observation that the vast majority of victims were located in Australia and reported using a variety of e-mail providers. Typically, phishing campaigns and database compromises involving multiple providers affect users from more geographic regions.
One participant in the online discussion theorized the mass compromise may have been the result of hacking domain name system (DNS) servers used by Australian service providers to translate human readable addresses such as Apple.com into the IP addresses Internet routers rely on.
Such an attack, which has yet to be confirmed in this case, works by “poisoning” the lookup tables of DNS servers so they secretly direct people to impostor sites. Assuming this technique was at play in the iPhone and iPad locking, affected users who entered a password on what appeared to be Apple’s site could have unknowingly provided it to the people behind the attack.
Apple officials have yet to comment on the report. There is no indication the hijackings are the result of any compromise on Apple servers, so that leaves end users to figure out for themselves how to secure their own devices.
Readers are once again advised to use long, randomly generated passwords that are unique to their iCloud account. They should also enable two-factor authentication and assign a separate, randomly generated passcode to each iPhone and iPad they own.
Readers are reminded they can be permanently locked out of their Apple ID accounts, and possibly their iPhone or iPad when running iOS 7 with Find My iPhone turned on, if they are compromised before two-factor authentication is enabled. Two-factor authentication won’t automatically prevent an attacker from compromising an iCloud account, but it will prevent the attacker from changing security questions and other crucial settings in the event of a breach.
The identities of the people behind the attack are unknown. There’s no indication they have any connection to anyone named Oleg Pliss.
People with a locked device should immediately try changing the credentials for their Apple ID and ensure two-factor authentication is set up. In the event their locked device didn’t have a passcode associated with it, they can perform a factory reset by using a cable to plug the device into their computer while iTunes is open.
More instructions are here.