Q: My devices have been hacked. What do I do?

Both my IPhone and IPod backup to to ICloud and all my music, photos and documents are all on my macbook as well which gets backed up with Time Machine onto an external hard drive. The thing that most scares me is if someone gets hold of my card details and starts spending ny money or creates some Facebook or Twitter account and starts posting nasty messages

The thing that most scares me is if someone gets hold of my card details and starts spending ny money

They can't get your card details from your Apple ID. They could spend your money in Apple's online stores, but that's it. That's fairly easily solved... it's easy to refute purchases with Apple, and you can turn to your credit card company if Apple fails you.

or creates some Facebook or Twitter account and starts posting nasty messages

There's nothing about hacking your Apple ID that makes that any easier. If someone wanted to do that, they could just do it. They wouldn't need to hack anything.

Good, because there is nothing criminal about using unblocking servers, it is simply doing something that annoys a Corporation, not breaking law, and I did not start this nonsense. All my posts prior Chris deciding to be judgmental in an area where he has no knowledge were related to the problem being discussed.

The current Apple response here this evening is still that it must be lax security on the part of those hacked - or that it is a case of one person making an erroneous claim and a lot of others doing a "me too" and making false claims. No possibility that Apple could be even partially at fault. That won't fly with people like me and many in our corporate organisation who are security conscious and who have not used passwords in other places.

The puzzling thing, and one that makes it seem more of of a vandalistic attack than an true attempt to make money, is that PayPal says no such person has an account with them. If they did, the banking details held by PayPal would lead law enforcement staright to their door. I'd guess at teenagers using a bunch of opportunistically acquired passwords. Acquired from where or how, I have no idea, but as too many have not used compromised passwords there has to be a weakness or flaw somewhere. 

the screenshots of the hacker's message on people's iphone lockscreens don't say paypal but instead mention PaySafeCard.

"Device hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to [some email @gmx] i sent code"

PaySafeCard is based in Austria and is apparently used worldwide. PaySafeCard is NOT Paypal. similar names but two different companies. so don't be blaming Paypal. go to Moneypack, Ukash, PaySafeCard, and GMX (where gmx is the email host for the bad guy's email).

The BGP routing hack (mentioned in an earlier post), or something similar, sounds most plausible to me. would seem like something in the network at an ISP in Australia (or in that area of the world) got hacked to reroute apple logins to a bad guy's server to do something like a huge network-wide huge MITM attack. that would explain how very-unique-not-used-anywhere-else-passwords are somehow taken. so, if apple icloud is secure, and if users are not being phished, and if users are not using their passwords anywhere else (and no one else has used their same exact passwords), then it could be an attack at the network level between the user and before the apple servers. a real isp network tech guy could talk more about this possibility.

thomas_r. wrote:

 

lundkeman wrote:

 

It would not be a stretch for hackers to go from unlocking stolen devices with a hack, too locking them.

 

There is absolutely nothing about the Dutch unlocking hack that is applicable to this situation. That hack requires the hackers to have the devices being unlocked in their physical possession. Due to the methods used, it cannot be applied remotely, and cannot be used to remotely lock devices.

I believe you are incorrect.  The Dutch group doulCi are using a Man-In-The-Middle attack.  They actually tweeted that their server unlocked 7500 phones in 5 minutes.  I do not believe they need to be in possesion of the device. The locked device only needs to be pointed to the site that is posing as an Apple server.  Anyone could redirect their own router to look to them as a dns site.  So now that this connection is established, the device thinks it is talking to an apple server and can be unlocked.  We are led to believe that only the original Apple id and password can unlock a locked phone (this perception to us appears true if legitimitely logging into find my iPhone).  This appears to not be the case, unless the device or real Apple servers are giving up these credentials in the MITM attack.  I believe they posted a snippet of code which did reveal what I perceived as an Apple id.  If this is the case then the exchange probably includes the Apple id and from there they can generate code to unlock the device.

So lets then take this a different route.  A hacker group hacks a dns server and redirects some traffic to a fake apple server.  Your now normal device thinks it is talking to an apple server.  They can then use modified dutch doulCi code to lock any device with correct software listening, Find my iPhone, Find my Mac.

All phone manufactures have to be cautious about bricking stolen phones, without the ability of unbricking.  This is the exact scenario.  To software hack and brick non-stolen devices, which would render them useless.  Imagine all devices permanently bricked within minutes of each other, land line anyone?

I think you need to do more research about how this works:

http://www.cultofmac.com/280450/heres-easy-hack-past-apples-activation-lock-miss ing-iphone/

The person wanting to unlock the phone must be in possession of the device. They need not be in possession of the server providing the hack, but the server cannot do the work by itself. This is not related to the Oleg Pliss hack.

If the hacker can achieve some kind of DNS poisoning attack that is, for whatever reason, predominantly affecting Aussies, then there would still be no need for doulCi to be involved. The hackers would simply capture Apple ID credentials and attack the phones through Find My iPhone, as has been stated.

The message you looked at might well be something else, but those I have seen definitely state PayPal. PayPal has even made public comment both denying having such a user associated with them and assuring people that if anyone did try to make payment their money would be returned. I doubt that there has been any serious intention to try to collect money, I feel that it is just a giant wind-up. Some little teenage hackers having fun.

thomas_r. wrote:

 

I think you need to do more research about how this works:

 

http://www.cultofmac.com/280450/heres-easy-hack-past-apples-activation-lock-miss ing-iphone/

 

The person wanting to unlock the phone must be in possession of the device. They need not be in possession of the server providing the hack, but the server cannot do the work by itself. This is not related to the Oleg Pliss hack.

 

If the hacker can achieve some kind of DNS poisoning attack that is, for whatever reason, predominantly affecting Aussies, then there would still be no need for doulCi to be involved. The hackers would simply capture Apple ID credentials and attack the phones through Find My iPhone, as has been stated.

Thanks for your reply, in fact the website article you point too helps to enforce my point.  In step 4 of the website article,

"4) After the DoulCi servers have spoofed the activation request, the iPhone is good to go as though it has been authenticated with the owner’s Apple ID login. Sort of…",

The device is unlocked with the original owner's Apple ID.  The doulCi code could be modified to apply activation lock, in my opinion.

Please do not change the context of your original argument "That hack requires the hackers to have the devices being unlocked in their physical possession." to

"The person wanting to unlock the phone must be in possession of the device."

I already understand this and perhaps you do too, but you did not originally word your reply that way.  I am not considering the people who want to unlock locked devices to be hackers, just users, whether they are legitimate or nefarious.  I consider the hackers the guys who did the work to write the code that allows them to unlock these devices.

You wrote "Due to the methods used, it cannot be applied remotely, and cannot be used to remotely lock devices."

Once again I believe you arre incorrect, how do u think activiation lock works in the first place, by sending a valid remote code via wifi, cellular or even cable to your device running the find my device services to lock it. If the device is not running the service then AFAIK this will not work.  Thus if a device is communicating thru a spoofed server, the activation lock code could be injected and the device will accept it, same concept as what the doulCi code does.  The biggest difference would be that the people seeking to unlock phones are intentionally going to a spoofed site, where as, the others are most likely accessing a spoofed site without intention.

I did not say doulCi needs to be involved, but that someone could have used their code and modified it, thus it is not doulCi doing the hack.

Hopefully it will come out soon as too how this hack was made possible.  I currently believe that the doulCi code was modified to propogate the Oleg Pliss hack; however, I could be proven wrong in the future.

would kindly like to see the paypal ones you've seen. thanx

here are some webpages with screenshots stating PaySafeCard as mentioned above:

http://www.allvoices.com/contributed-news/17167869-hackers-using-find-my-iphone- to-hijack-your-iphone

http://www.vvng.com/apple-iphone-find-my-iphone-hack-reaches-the-victor-valley/

http://www.troyhunt.com/2014/05/the-mechanics-of-icloud-hack-and-how.html

thomas_r. wrote:

 

I think you need to do more research about how this works:

 

http://www.cultofmac.com/280450/heres-easy-hack-past-apples-activation-lock-miss ing-iphone/

 

 

If the hacker can achieve some kind of DNS poisoning attack that is, for whatever reason, predominantly affecting Aussies, then there would still be no need for doulCi to be involved. The hackers would simply capture Apple ID credentials and attack the phones through Find My iPhone, as has been stated.

Which is exactly why I suggest Apple close the Lost and Erase modes security hole by requiring the owner to enter their recovery key given in the 2-step process.

Well, if you can read a newspaper, real or online - it shouldn't be too difficult for you. You do know what a newspaper is? Try News.com and SMH - they both have stories on the issue with links to NSW Police and Consumer Affairs/Attorney General warnings - all of which claim the hacks demand user pay via PayPal.

www.staysmartonline.gov.au includes this - as do the Police and various other authorities. Why don't you go argue with them?

"At present many users are reporting that their phones or systems lock unexpectedly, they receive an email from ‘Find My iPhone’ and a message on their screen stating that their device has been, ‘Hacked by Oleg Pliss’. The message said that to unlock their device they should pay a ransom via PayPal, emailing the payment code to lock404[a]hotmail.com."

But the 2-step verification process is available only in some countries (not in mine anyway)

I was hacked. It said paysafecard - I was surprised when the media mentioned paypal, because it wasn't paypal - and Paypal responded because they were asked to respond - that doesn't mean their name came up in the hack. And if you believe as fact everythig the media reports in those newspapers you're so tediously describing, then I should tell you something - journalists sometime take short cuts, or mis-quote things. Believe the screenshots, not the newspaper reports. Most of them got their early information from this thread!

For Christ's sake, I was also hacked and it WAS Paypal - it is why I got involved in this thread . Why do you assume that in every instance it used exactly the same wording? It very clearly wasn't.

tinous98 wrote:

 

But the 2-step verification process is available only in some countries (not in mine anyway)

Which is why Apple needs to step up and get it done.