Q: My devices have been hacked. What do I do?

If you look at 'lozzab22's entry (currently at the top of page 9):

"I have an unlocked iphone originally from Australia, but its now with me living in Toronto, Canada - and got the same hacked message mid-morning. So this tells me its not Aussie service providers, and only icloud related. "

This suggests it might not involve ISP's but point back at Apple being more involved as it is the common denominator.

Andrew Rutherford wrote:

 

Given this seems to be happening mainly in Australia / New Zealand I suspect a man-in-the-middle attack (a bit like the idoulCi hack) where someone has redirected Internet traffic from some ISP's in Australia/NZ to a server that's doing the nasty. :-( There's very little checking in many of the peering fabrics used by ISP's to transfer domestic traffic to each other, it would only take one ISP to be hacked and insert a route saying "Apple this way!" to a single peering fabric to steal 30%+  of customers in Aus/NZ.

 

That said, as we should in these circumstances we have changed passwords on all accounts to new strong random passwords, just in case someone has hacked Apple and retreived passwords.

That's what it certainly seems like to me as well. Traffic being redirected to a fake iCloud site to capture logins.

Not necessarily yodaboy01, which is why I asked the question if he activated the phone (using his Apple ID) in Australia when he bought it.

This is interesting, however the attacker was only demanding $100 per client or something. The attacker will have claimed $0 at the moment!  Not much reward. So it isn't going to be a sophisticated attack. Hacking an ISP is a sophisticated attack. Hacking Apple is a sophisticated attack. If you knew how to attack either of these reliably, then you wouldn't waste it setting iDevices to lost.

If it isn't a password attack then I would go the next simplest with Mums and Dads - routers using default passwords. Although how to man in the middle redirected SSL traffic to get the passwords remains unsolved. But I still think password reuse is far far more likely.

Interesting points, Andrew - I think that password quality is likely to be an issue in a number of cases, but it sounds like your environment is one which is pretty secure.  Any chance you're using 1Password?  Is anyone who has had this happen using 1Password -- mostly out of knowledge of the quality of the passwords that can generate.

The BGP/IP hijacking explanation, whilst possible, doesn't seem probable or the numbers of people impacted would be vast.

Another potential explanation could be the way in which Apple IDs are contingent upon email addresses - is it possible that targets were socially engineered or phished, either through email in recent weeks/months, or, fake "support" calls which scammers are always busy with?

And even if they didn't accidentially reveal their passwords, it's possible the password reset/recovery functionality of their email provider could have also played a role.

So far I've seen most of the Telco carriers mentioned - but what about the email providers, any common threads there?

I'd go looking for common routers rather than common ISP's. If it isn't passwords, then the next big weakness in the home is routers with old firmware, well known backdoors, default passwords. This isn't a sophisticated attack. The amount of money involved is too small.

Indeed, Pete; point about the common ISPs was that many use common CPE kit as well.  There is obviously *something* in common amongst the victims, we're just not sure what that is yet.

I didn't use the same password and my phone was hacked although apart from the alarm and the message I seem to be okay.  At least I didn't lose the use of my iPhones or iPads....at this stage.

You may be right TallPete but I still wonder if it is not MITM.

There a a few reasons for that idea:

There is no evidence yet that the number of people affected is not large.  That remains to be seen. 

The number of people here with the issue in such a short time is unusually high.  That points to a large issue - especially since there is no reason to suppose that the majority of those impacted would come here first.

I would even suspect that there would be a number who would pay...  not that they would say so out loud.  The amount demanded is relatively small and the method of fixing it relatively arcane to the non-technical user.  That makes for payment the easy option. 

There is evidence from Apple that until recently iTunes was open to MITM exploit.

Not everybody religiously patched their software and it is reasonable to suppose that there is a significant number of unpatched iTunes out there..

On the other hand - as you say - there could be other explanations.

I think that the significant number of attacks in one night points to a harvesting of Apple IDs and Passwords that has been happening over a number of days followed by a programmed exploit to launch the ransom demand.  The quickest way to have achieved that would be to have had a phishing exercise via email or other software infection.

There is also a large number of people whose IT security practices make phishing easier.

The fact that the issue seems local to this region could be related to the vector of deception.

The weak point in the attack is that the actions taken did not prevent a fairly simple restoration.  It might be that the hijacking of the whole account either was not possible in the time frame allowed for the attack - or that the attacker was only 'almost clever'.

It will be interesting to see what the story is when it comes out in the fullness of time.

so anyway, the story's now hit the MSM.  Source:  mostly this very thread.  Some of you are (almost) famous:

http://www.brisbanetimes.com.au/digital-life/consumer-security/australian-apple- idevices-hijacked-held-to-ransom-20140527-zrpbj.html

I got this email at the end of March:

None of this was updated so I ignored it. I wonder if people got this and this is how their details were taken? I have not been hacked. I am in Australia. The email address this was sent to was ######@finder.net.au. This is not my email address yet somehow I got it. The sender address was appleid@news.apple.com.  These are also reasons I ignored it.

I have just realised that the devices belong to my family have another common factor. They were the only ones that use Netflix accessed via an "unblock-us.com" account. That means that they were all linked to the same VPN server. Whatever the common factor is it appears to be Aus/NZ centric. If not an ISP - unlikely - possibly a common server could be a part of the issue.

Regarding the iphone ransom hack I think this can be done just by hacking the password for the icloud login.Given that many people use the same passwords across sites and given the number of recently compromised sites such as ebay this is not that hard to get passwords. Luckily I haven't been hacked, However  I have 2fa on for my apple id which I thought should protect me, but an icloud web login doesn't ask for the 2fa which is just ridiculous. Once in you can set the phone to lost and demand the ransom with a message.

For now I've turned off find my iphone on all devices.

APPLE WHY DOES 2FA not apply to an icloud.com login?

"I got this email at the end of March:

...

None of this was updated so I ignored it. I wonder if people got this and this is how their details were taken? I have not been hacked."

Yes it is one way of getting hacked.

The link in your email does not go to login.apple.com.

It goes to a bogus website designed to look like Apple website.