Adam Clark Estes
A strange rash of virtual iPhone kidnappings in Australia recently spread to the United States, and boy, are they strange. Hackers appear to be using Find My iPhone to lock iOS devices remotely, and then demanding a ransom to unlock them. Said ransom is payable through PayPal. You should not pay it.
Again, these incidents sound strange. Reports of the first incidents—all in Australia—appeared on Apple forums this week, followed by a report of ransomed iPhones in the U.S. Users reported finding their phones suddenly locked, with a message from Find My iPhone saying that the device had been “hacked by Oleg Pliss.”
Instructions to unlock the phone were simple: Send $50 to a PayPal account and the phone would be set free.
It’s unclear if the exploit happens due to a vulnerability in Find My iPhone or through a compromised iCloud account. Regardless, it’s worth changing your iCloud password if you’re worried about getting hit. Because of the recent eBay breach, some think that hackers are using credentials from other sites to log into people’s iCloud accounts. Better safe than locked out of your iPhone, right?
Even if you’ve already been hit, though, you just have to do a factory restore of your iOS device to get your phone back, the steps to which can be found here. And if you’ve already been hacked, PayPal says it will refund the ransom money. PayPal also says there is no account matching the email address in the ransom note. Again, this is all very strange. [The Age viaGigaOm]
Update: Following widespread media coverage of the exploit, Apple responded to reports of the iPhone-for-ransom problem and denied that iCloud had been compromised:
Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.
So does that mean that Find My iPhone is the culprit? Or is it just another case of misplaced user credentials? (Spoiler: all signs point to the latter.)