Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian.
Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts.
Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple."
The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."
Salted Hash reached out to Apple for comments, we'll update this article if they respond.
For now, let's assume there hasn't been a massive iCloud data breach. If that's the case, then how are these users being compromised?
How the attack works:
In 2014, someone (or perhaps more than one person) using the name "Oleg Pliss" held an unknown number of Australian Apple devices for ransom, demanding a payment of $100.
The Russian Interior Ministry announced in June of 2014 that two people were arrested for blocking Apple devices to extort funds. With those arrests, it was assumed the scams were finished.
But since at least February of this year, the scams have returned and the most recent cases are targeting users in Europe and the United States, but the methods used by the attackers are the same ones that were popular two years ago.
It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim's device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.
In each of the cases reported publicly, the ransom demanded is usually $30 to $50. If a victim contacts the referenced email address, in addition to payment instructions, they're told they have 12 hours to comply or their data will be deleted.
Roughly translated, the phrase was telling her that in order to receive a password, she'll need to email the address displayed.On July 1, Alanna Coca noticed her iPad had started beeping. When she opened the cover, the lock screen had a message displaying a phrase in Russian - "
Dlya polucheniya parolya, napshite na email" - followed by a Gmail address.
Speaking to Salted Hash, Coca explained that when she logged into iCloud, her iPad had been placed offline and she was unable to communicate with it. Apple Support eventually helped her resolve the problem, which required a factory reset.
Sign up for CIO Asia eNewsletters.