An unusual case of cyber extortion has been spotted in Australia: Apple device users in Queensland, NSW, Western Australia, South Australia and Victoria have been woken up to messages displayed on their devices saying they have been hacked.
The message says that the hacker is one “Oleg Pliss”, and that they should send $50 (or alternatively “$100 USD/EUR”) to a PayPal account in order to get their devices unlocked.
So, what happened? And why have only Australian users been targeted?
Well, it seems that no actual malware is involved, and for now the most likely explanation is that the attacker has somehow gotten a hold of the victims’ iCloud login credentials and used them to remotely lock their devices with a passcode via the “Find my iPhone” feature.
Users who have been faced with this problem are advised not to pay the ransom and to contact Apple directly to be advised on how to unlock their devices and regain access to their iCloud account.
It’s interesting to note that the victims who have set up an access passcode on their devices have seen the ransom message, but are able to regain control of their devices by simply inputing it.
Apple has yet to officially comment on the matter, but a PayPal spokesperson has confirmed that there is no PayPal account linked to the email address given by the hacker, and that the money already sent by the victims will be returned to them.
The curious name used by the attacker is more than likely an alias, but it’s interesting that it’s also the name of a well-known software engineer working for Oracle.
All in all, I’m inclined to think that this attack is more of a prank than anything else. If you were the attacker, would you give out the email for an existent PayPal account? Or, alternatively, would you use a PayPal account at all?
The question remains how he (or she) managed to get the iCloud account login credentials. My bet is on some Australian service having been hacked and the attacker trying out the harvested login credentials against the iCloud service, relying on the fact that at least some of the users will have used the same ones for both.