Q: My devices have been hacked. What do I do?

huh??  Been trying to take one of my ipads out of lost mode all day ... won't do it for some reason.  Now I've just tried to log into icloud again and its saying my Apple ID has been disabled for security reasons??  I've already changed my passwords/security questions/rescue email ... sigh ... will this never end

Sel_L wrote:

 

Now I've just tried to log into icloud again and its saying my Apple ID has been disabled for security reasons??  I've already changed my passwords/security questions/rescue email ...

This just happened to me as well. Confusing.

It looks like Apple are isolating accounts that have been hacked. Feel happy it won't be happening again. I hope you changed your password.

And now as I go to restore my phone from a back up from 17 days ago, it tells me the file is corrupt. What a day!

Same. I'm signed in right now (with reset password, obvs) on one of my devices (in order to message this), but another has just said my AppleID is disabled. My kid's iPod wasn't affected - it wasn't hooked into our AppleID. But I have 2 x iPhones, 2 x iPads, and 1 Powerbook - all on the same AppleID - affected.

I haven't been hacked thankfully but wonder if this has something to do with the exploit.

I received the following email on May 26th. It was the 3rd or 4th such email I received and went like this:

It looked very legit with appropriate graphics and clean Applesque formatting but I deleted it...my usual response to communications I've not initiated.

This email was in the trash so I looked at the raw source to compare with legit saved emails I've received from Apple. Below is the raw source from the fake. Notable that the body is all in html without CSS. Much different to a legit Apple email. Also note the fake return path and the envelope from address. And the final and most obvious 'to me' tell is that they addressed this to me on an email that was not registered with Apple.

This is the raw source: I've deleted my details a used XXX where they appeared. Also bolded the fake link.

----------------------------------------------

Return-path: <do_no_reply@iclouds.co.nz>

Envelope-to: XXXXXXX@XXXX.co.nz

Delivery-date: Mon, 26 May 2014 14:16:13 +1200

Received: from postie1.hosting365.ie ([82.195.157.180]:54319)

          by kiwiwebhost.actin.net.nz with esmtp (Exim 4.80.1)

          (envelope-from <do_no_reply@iclouds.co.nz>)

          id 1WokSS-0003Vr-Ts

          for XXXXXXX@XXXX.co.nz; Mon, 26 May 2014 14:16:13 +1200

Received: from iclouds.co.nz (unknown [62.90.94.40])

          by postie1.hosting365.ie (Postfix) with ESMTP id 4E402A852F28A

          for <XXXXXXX@XXXX.co.nz>; Mon, 26 May 2014 03:16:10 +0100 (IST)

From: Apple <do_no_reply@iclouds.co.nz>

To: XXXXXXX@XXXX.co.nz

Subject: Apple ID Disabled for Security Reasons.

Date: 26 May 2014 05:16:09 +0300

Message-ID: <20140526051609.7C8FA3422DE61EB8@iclouds.co.nz>

MIME-Version: 1.0

Content-Type: text/html;

          charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

<html>

<tr>

          <td style=3D"padding&#58;20px 11px 40px 11px;background-color&#58;#ffffff;"=

>

          <table width=3D700 border=3D0 cellspacing=3D0 cellpadding=3D0 align=3Dcente=

r style=3D"background-color&#58;#ffffff;" bgcolor=3D"#ffffff">

            <tr>

              <td width=3D700 valign=3Dtop>

                <table width=3D648 border=3D0 cellspacing=3D0 cellpadding=3D0 align=

=3Dcenter style=3D"background-color&#58;#ffffff;" bgcolor=3D"#ffffff">

                        <tr><td><img src=3D"http://iforce.co.nz/i/y4doyckl.f2u.gif" alt=3D"" w=

idth=3D648 height=3D122 border=3D0 style=3D"display&#58;block;"></td></tr>

                </table>

                <table width=3D630 border=3D0 cellspacing=3D0 cellpadding=3D0 align=

=3Dcenter style=3D"background-color&#58;#f1f1f1;">

                        <tr>

                                <td>

                                        <table width=3D490 border=3D0 cellspacing=3D0 cellpadding=3D0 align=3Dce=

nter style=3D"background-color&#58;#f1f1f1;">

                                                  <tr>

                                                            <td width=3D490 align=3Dleft style=3D"padding&#58;0 0 22px 0;">

                                                                      <div style=3D"font-family&#58;Lucida Grande, Lucida Sans, Lucida Sans=

Unicode, Arial, Helvetica, Verdana, sans-serif;color&#58;#333333;font-size&=

#58;12px;line-height&#58;1.25em;"><span style=3D"font-weight&#58;bold;">Dear=

Apple Customer,</span><br>

                                                                          <br>

                                                                        Your Apple ID has been Disabled for Security Reasons!<br>

                                                                        <br>Someone just tried to sign in into your Apple account from othe=

r IP Address.<br>Please confirm your identity today or your account will be =

Disabled   due to concerns we have for the safety and integrity of the Apple=

Community.<br><br>To confirm your identity, we recommend that you go to <a =

href=3D"yAppleIdwoa/wa/appId-4191.returnURL-DaHR0cDovL3N0b3JlLmFwcGxlLmNvbS91c3wxYW9=

zZmU4OGZjNWIyNThhYWVhOTM5MzVjZjI2NTk1OGE3MWUwY2Y0MmI2OA26r3DSDHCD9JUYKX777H9=

KT/index.php" target=3D_blank>Verify Now &gt;</a><br>

                                                              <br>Regards,<br>Apple</div>

                                                            </td>

                                                  </tr>

                                        </table>

                                </td>

                        </tr>

                        <tr><td style=3D"padding-top&#58;101px;"><img src=3D"nz/i/yowyomf2.4fe.gif" alt=3D"" width=3D630 height=3D21 border=3D0 style=3D"=

display&#58;block;"></td></tr>

                </table>

                <table width=3D490 border=3D0 cellspacing=3D0 cellpadding=3D0 align=

=3Dcenter id=3Decxaapl-footer style=3D"">

                        <tr><td style=3D"padding&#58;10px 20px 10px 0;">

                                <div style=3D"font-family&#58;Geneva, Verdana, Arial, Helvetica, sans-s=

erif;font-size&#58;9px;line-height&#58;1.34em;color&#58;#999999;">TM and Cop=

yright =A9 2014 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014, U=

SA.</div>

                                <div style=3D"font-family&#58;Geneva, Verdana, Arial, Helvetica, sans-s=

erif;font-size&#58;9px;line-height&#58;1.34em;color&#58;#999999;"><a target=

=3D_blank style=3D"color&#58;#999999;text-decoration&#58;underline;" href=3D=

"http://www.apple.com/nz/legal/">All rights reserved</a> / <a target=3D_blan=

k style=3D"font-family&#58;Geneva, Verdana, Arial, Helvetica, sans-serif;fon=

t-size&#58;9px;line-height&#58;1.34em;color&#58;#999999;text-decoration&#58;=

underline;"=3D"http://www.apple.com/nz/enews/subscribe/">Keep Informed<=

/a> / <a target=3D_blank style=3D"font-family&#58;Geneva, Verdana, Arial, He=

lvetica, sans-serif;font-size&#58;9px;line-height&#58;1.34em;color&#58;#9999=

99;text-decoration&#58;underline;" href=3D"http://www.apple.com/nz/privacy/"=

>Privacy Policy</a> / <a target=3D_blank style=3D"font-family&#58;Geneva, Ve=

rdana, Arial, Helvetica, sans-serif;font-size&#58;9px;line-height&#58;1.34em=

;color&#58;#999999;text-decoration&#58;underline;" href=3D"https://appleid.a=

pple.com/cgi-bin/WebObjects/MyInfo">My Apple ID</a></div>

                        </td></tr>

                </table>

                    </td>

            </tr>

          </table>

          </td>

          </tr>

          </table>

<img src=3D"http://iforce.co.nz/i/m1gq1iu5.j3c.gif">

</div></div>

</div>

</div></div></div></div><input id=3D"atirp" type=3D"hidden" value=3D""/></di=

v>

</div></div>

        </div>

=20=20=20=20

    </body>

</html>

Message was edited by: toninoapa Forgot to mention that I'm located in NZ not Aus. ** I have just disabled the links...I think, by deleting the href tags. Wouldn't want anyone clicking the links! **If any of the links look active please do not click them.

analogue cheese wrote:

 

so anyway, the story's now hit the MSM.

LOL, funny how that article makes many of the same points I did... and with all the same links I provided, even down to the Mat Honan story.

It's not real reporting when all the advice has been stolen from a forum.

if it helps in identfying the cause, her AppleID password was weak

I don't think that password strength is an issue, as I had originally stated. At this point, everyone affected seems to be from Australia. If it were an issue of weak passwords failing under a botnet attack, that would affect all Apple IDs with weak passwords, not just Australian Apple IDs.

Someone mentioned Telstra earlier too - Bigpond is our ISP.

Thus far, the only folks who have said what ISP they are using are using that one. (Though I haven't yet gotten to several pages of this topic that were posted overnight.) That may be the common denominator.

Andrew J wrote:

I haven't read where people who have been hacked, haven't used the same email and passwords on eBay.

Someone earlier in this very topic said they don't even have an eBay account. This isn't related to eBay.

Nor is it an e-mail account breach. Too many different global e-mail providers are involved. That's not the common denominator.

thomas_r. wrote:

 

Andrew J wrote:

I haven't read where people who have been hacked, haven't used the same email and passwords on eBay.

 

Someone earlier in this very topic said they don't even have an eBay account. This isn't related to eBay.

 

Nor is it an e-mail account breach. Too many different global e-mail providers are involved. That's not the common denominator.

If you had read my posts correctly, you would have noticed I haven't said anything about email accounts being breached, but feel free to point me to where I did say that.

My suspicions are people who use their Apple ID email and passwords on other web services, are the ones who have been hacked. So lets be logical shall we.

1) It's localised to Australia and New Zealand, which may point to a localised server breach.

2) Each user has had their iCloud account accessed and their devices locked in request of cash.

3) Someone has gotten those email addresses and passwords from somewhere other than Apple.

4) It can't be Apple servers, otherwise there would be far more people affected, and any hacker worth their salt, wouldn't be asking for $50 for the efforts. Apple servers are highly protected with multiple encryption levels

5) So far, most people have admitted using their Apple ID email and passwords on other web accounts.

6) Heartbleed hasn't been patched on all servers. eBay had a breach just last week, thus my connection to eBay.

7) If you have any better hypothesis, I would be happy to share the load.

Okay, this topic has grown quite a bit overnight (well, overnight in the US anyway).

There's a lot of fairly random speculation going on, and even some completely unfounded and false claims (like that everyone affected has a stolen phone... that's nonsense). So let's try to summarize.

There has been no commonality found as to e-mail accounts used, so a hacked e-mail account is out. That would not fit with the affected users all being in Australia/New Zealand. Weak passwords being hacked by a botnet would also be insufficient to explain the locality.

Some users have mentioned receiving phishing e-mails, but I don't believe those are the issue either. With so many people reporting that they are using global e-mail providers (me.com, Hotmail, GMail, etc), there's simply no way that such phishing e-mails could have targeted only Australians. Further, people who mentioned the phishing e-mails also said they didn't fall for them. So that's out.

It's looking so far like everyone affected is using Telstra as their internet service provider (ISP). This could provide the common link, and the explanation as to why only people in one part of the world are being affected. My theory is that Telstra's domain name servers (DNS) have been "poisoned."

A domain name server (DNS) is a server used to convert a human-readable address (www.apple.com) into a numeric IP address (17.172.224.47). If a DNS gets "poisoned," it can contain entries that map the human-readable address to a malicious IP address.

If this happened with Telstra, affected users who provided a username and password on what they thought was Apple's site may actually have provided it to hackers. It may be a good idea to use an alternate DNS for the next few days, just in case, until the cause is determined. Try the OpenDNS servers or Google DNS servers.

For more information, and some info on fixing the problem, see my earlier responses:

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Is there Big Pond in New Zealand? They have Telecom NZ, not Telstra?

I was affected and I'm not with Telstra.

Not a valid theory as there are numerous victims who are not Telstra customers. My family uses Optus & Telstra and we had three devices compromised on both networks. The most likely - according  to our work IT guys who are working on other employees hacked phones - is that so far all of those affected have used a VPN anonymising service. Most in order to either access the US iTunes store, play games, or to stream movies that are Geo-Blocked in Australia.

thomas_r. wrote:

 

Okay, this topic has grown quite a bit overnight (well, overnight in the US anyway).

 

There's a lot of fairly random speculation going on, and even some completely unfounded and false claims (like that everyone affected has a stolen phone... that's nonsense). So let's try to summarize.

 

There has been no commonality found as to e-mail accounts used, so a hacked e-mail account is out. That would not fit with the affected users all being in Australia/New Zealand. Weak passwords being hacked by a botnet would also be insufficient to explain the locality.

 

Some users have mentioned receiving phishing e-mails, but I don't believe those are the issue either. With so many people reporting that they are using global e-mail providers (me.com, Hotmail, GMail, etc), there's simply no way that such phishing e-mails could have targeted only Australians. Further, people who mentioned the phishing e-mails also said they didn't fall for them. So that's out.

 

It's looking so far like everyone affected is using Telstra as their internet service provider (ISP). This could provide the common link, and the explanation as to why only people in one part of the world are being affected. My theory is that Telstra's domain name servers (DNS) have been "poisoned."

 

A domain name server (DNS) is a server used to convert a human-readable address (www.apple.com) into a numeric IP address (17.172.224.47). If a DNS gets "poisoned," it can contain entries that map the human-readable address to a malicious IP address.

 

If this happened with Telstra, affected users who provided a username and password on what they thought was Apple's site may actually have provided it to hackers. It may be a good idea to use an alternate DNS for the next few days, just in case, until the cause is determined. Try the OpenDNS servers or Google DNS servers.

 

For more information, and some info on fixing the problem, see my earlier responses:

 

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Again, nowhere have I even hinted that peoples email accounts have been hacked, so where are you getting that from?

It's obvious that user accounts have been hacked.

There isn't enough evidence to suggest that Telstra is the problem, as proved by the number who aren't with Telstra. Coming from Australia, I can tell you, they are the biggest Internet service provider in the country.

Considering the small numbers of affected users (we're not talking about tens of thousands), it points more to smaller connection.