back to article Gift cards or the iPhone gets it: Hackers threaten Apple with millions of remote wipes

Hackers who claim to have gained access to over 300 million iCloud and Apple email accounts are threatening to wipe user data unless Apple pays a ransom. The self-styled "Turkish Crime Family" are threatening to remotely wipe millions of iThings unless Apple pays it $75,000 in crypto-currency or $100,000 in iTunes gift cards …

  1. nuked

    Undervalued.

    1. Your alien overlord - fear me

      over valued !!

      1. Anonymous Coward
        Anonymous Coward

        Exactly the right value!

        1. wolfetone Silver badge

          What is value?

          1. Anonymous Coward
            Anonymous Coward

            The value is 42

    2. Planty Bronze badge

      Simple

      If it happens, apple are bad for not paying and allowing all them accounts to be hacked, if it doesn't apple are bad for giving into hackers paying their ransom and allowing all them accounts to be hacked.

      1. Frumious Bandersnatch Silver badge

        Re: Simple

        If it happens, apple are bad for not paying [...]if it doesn't apples are bad

        Oh, no. bad apples make Apple bad? Sounds like perps are trying to shoot fish in a barrel, but not using any core vulns to pip them post paste.

  2. Gordon Pryra

    Quite ironic

    They seem to be offering the same levels of support that the "Geniuses" in the Apple Shops do

    ie, Wipe it and reinstall

    Maybe Apple are playing with the idea that they can sack all their support staff and let the kiddies at "Turkish Crime Family" provide free support to their customers

    1. gnasher729 Silver badge

      Re: Quite ironic

      You certainly don't go to the same store that I use. I twice had problems with a device that I wasn't willing to solve myself, and in both case the "Genius" solved it for me, with no problems.

      That said, obviously you should have your phone backed up, so "wipe it and reinstall" is indeed a painless way to solve some problems without any loss of data.

      1. swschrad

        back the phone up early and often

        and I see where glitches when upgrading to the next version of iOS can blow your data away, so, dittos

        1. Anonymous Coward
          Anonymous Coward

          Re: back the phone up early and often

          Although I back up religiously (you know, with candles and incense burners) as well as normally, I have as yet not had that happen to me. I may just have been lucky, but I've been on beta releases since the last iOS v9.

          I reckon it's going to happen when I forget to make a backup. That's how these things work :).

      2. Frumious Bandersnatch Silver badge

        Re: Quite ironic

        "wipe it and reinstall" is indeed a painless way ...

        But, Apples aren't (Windows) PCs.

      3. Anonymous Coward
        Anonymous Coward

        Re: Quite ironic

        Ex genius here....

        You'd be amazed at just how many problems ARE solved with a DFU restore...

        But, as others have mentioned, Apple has made it so damned easy to restore your data, I'm not entirely sure what's to be gained here....

        Oh, that's right, the belief that people are careful with their data.... When was the last time you checked your backups?

        1. Gordon Pryra

          Re: Quite ironic

          @AC

          It was just a joke, and I have provided support to the public in my early days so I know support staff don't deserve any bad press. No offense was intended to anyone who works in those shops,

          Then again, this is a kind of joke story with the international criminals having grabbed the passwords for millions of devices asking for .......£75k

          They could have sold those for a few hundred k in minutes if they were actually any for of real bad a334 HaXZ0rs

        2. Trigonoceps occipitalis

          Re: Quite ironic

          " ..has made it so damned easy to restore Apple's data ... "

          FTFY

  3. DougS Silver badge

    The Dr. Evil picture is appropriate

    $100,000 is ridiculously cheap if they actually had a half billion accounts they could wipe! If they really had that many, asking for a mere penny each would net $5 million! Of course even if they had that many they could never hope to trigger a remote wipe on more than a tiny fraction before Apple noticed and shut it down!

    In fact, if Apple has been smart, they already have something automated that notices a jump in the number of remote wipes being triggered and calls a halt to any more happening until it can be investigated.

    1. P. Lee Silver badge

      Re: The Dr. Evil picture is appropriate

      >$100,000 is ridiculously cheap if they actually had a half billion accounts they could wipe!

      The trick to getting the cash is to make sure its a no-brainer to pay, even if Apple think they probably don't need to.

      But... I think they picked the wrong target. I don't think "paying other people" is Apple's style.

      And even if you wiped the icloud data, wouldn't it sync back from the phone?

      1. DougS Silver badge

        Re: The Dr. Evil picture is appropriate

        It sounds like they are threatening a remote wipe, where you can remotely wipe your phone (i.e. if it is stolen) if you had previously set up "Find my iPhone" on your phone. Or someone else could, if they have your Apple ID / password.

        You could of course resync from iCloud or from an iTunes backup, but that would still be pretty inconvenient!

        Remote wipe is probably something it would be good to use two factor authentication with, but since for most people the second factor will be their phone...

    2. james 68

      Re: The Dr. Evil picture is appropriate

      $100,000 is quite cheap. Consider that Apple's "bug bounty" stands at $200,000 they are in fact charging only half the price. I think however that they perhaps did not read the small print on the proper means of claiming said bounty...

  4. gryff
    Meh

    Unless Apple don't have that many accounts

    If the number of *active* Apple accounts < Turk family claim

    ...then Apple say "Fuq-U"

    Let's assume anything older than 5 years is gone (upgrade, migrated away)

    Rough production is 200 million iphones a year ==> 1 billion devices

    Slice some off for the three year replacement cycle and add some on for ipads etc. but ignore desktops.

    Probably no more than 800 million accounts, perhaps as few as 600 million.

    Apple can now take a massive backup (thanks for the warning!) and rate limit any wipe requests to slow up a bulk delete in order to combat it.

    Thank goodness I still use my filofax and a hardwired landline.

    1. swschrad

      where did you get a good browser for that Imsai of yours?

      cause I could use one for my 1802

  5. JustsomeBlokeinAz
    Coat

    Am I the only one?

    Who thinks that Apple should give them specially crafted Gift card codes that are A) Tracked and B) shut down any account they are used on until the law enforcement agency of choice gets an investigation completed of the account owner?

    Maybe over simplified (mainly because they would probably sell the cards for pennies on the dollar), but really? That is like going to a department store, holding up the store up and asking for the proceeds to be given on a company issued credit card.....

    Mine's the one with the ice pack for my head.... might want to get that desk looked at too....

    1. jtaylor

      Re: Am I the only one?

      Gift codes are indeed easier to trace than cash / cryptocash. They are also easy to sell on to unsuspecting people before the codes are traced and cancelled.

      Before I buy a gift card second-hand, I verify the balance, then spend it all immediately after I pay for it.

      1. paulf Silver badge
        Boffin

        Re: Am I the only one?

        I'm with @JustsomeBlokeinAz on this and it looks like Lee Munson also spotted its potential from his quote in the article "I cannot help but wonder if the option to pay $100,000 in iTunes gift cards, rather than $75,000 in untraceable crypto-currency, could have been explored in association with law enforcement".

        Gift cards like those from Apple and Amazon that credit an online account from a claim code can be traced easily as SOP never mind if they're specially set up for a sting like here. If they are sold on then fool on the person buying the second hand gift card of completely unknown provenance. Lets face it, chances are it's more likely hookey than not especially if sold at a suspiciously deep discount which suggests it's at best stolen, if not fraudulently obtained. So they could have set up a nice trap to capture the hackers/fraudsters this way. Even if they sold on the cards there should be a paper trail to catch them unless they were bought off some bloke down the pub for cash. Flea-bay is enough of a bear pit but should have a reasonable paper trail back to sellers; anywhere else well you get what you deserve.

        As an aside I'd ask how you check the balance without being given the code off the card? The seller isn't going to send the code or card before receiving cleared payment as once the seller has given you the claim code how are they going to make you pay for it?

        Frankly they missed a chance to catch the buggers!

  6. lglethal Silver badge
    Trollface

    Turkish Crime Family

    Is Erdogan low on cash again?

  7. Doctor_Wibble
    Trollface

    Offer Green Shield Stamps instead

    So they know you are taking them seriously.

    1. Steve Davies 3 Silver badge

      Re: Offer Green Shield Stamps instead

      Have an upvote for mentioning a piece of history.

      All you young whippersnappers won't be old enough to remember the joys of licking the sheets of stamps and sticking them into the books.

      The six day war (if my memory serves me right) efficively killed them off but it might have been a later conflict in that area.

      1. CliveS
        Meh

        Re: Offer Green Shield Stamps instead

        Green Shield Stamps were effectively killed when Tesco stopped issuing them and switched to aggressive price cutting in the late 70's. Green Shield itself eventually morphed into Argos. So nowt to do with the Arab-Israeli war of 1967.

  8. Ilsa Loving
    Megaphone

    Password reuse

    Password reuse is overwhelmingly the most likely avenue. The average joe is notorious for not only using really lousy passwords, but using the same ones over and over again across different systems. To be fair, there are just *so many* different systems that there is simply no way to use a different password with each one.

    The only option today is some kind of password manager that can store unique credentials for every site/service that you use. There's really nothing else that strikes a good balance between security and ease of use, and the way things have been going (and continue to go), the need only intensifies.

    Off the top of my head, I can think of three:

    -1password (which I use and have been happy with)

    -enpass

    -lastpass

    Lastpass is probably the most convenient and well known because it's a cloud services that you don't have to manage.

    1Password stores passwords in a local encrypted database. You can sync between different devices via wifi, or by putting the data store on dropbox. It supports multiple 'vaults', and works on most major platforms.

    Enpass is similar to 1Password, but doesn't (yet) support multiple vaults, and has better platform support including linux.

    There are other ones out there, of course, but those are the three I know most about.

    1. Just Another SteveO

      Re: Password reuse

      Not sure I'd be recommending LastPass.

      https://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

    2. This post has been deleted by its author

  9. allthecoolshortnamesweretaken Silver badge

    Hmm... something doesn't quite add up here... Well, pass the popcorn, Moss.

  10. Grunchy

    If they're gonna wipe data by April 7, what if you backup before then?

    Because if they wipe it out you could probably recover your backup and problem sorted.

    Didn't cost $100,000 or anything!

    1. Roland6 Silver badge

      >If they're gonna wipe data by April 7, what if you backup before then?

      Well that raises the obvious question, namely: to what extent do public cloud providers such as Apple iCloud, MS OneCloud etc. actually backup client data.

      In the case of iCloud, assuming the typical account has the 5GB free storage allocation and is using 2GB of it, then 300M accounts represent circa 600M GB of data or 75 petabytes to be backed up, whilst the use of delta's might reduce the nightly load it is still a lot of backup media...

  11. The Nazz Silver badge
    Paris Hilton

    Missing a trick here?

    TCF : Apple, it's $100k or we wipe.

    Apple : We;ll let you know be fore the 7th.

    Crowdfunded anti fan-bois : $ here's 110 k, just do it now.

    TCF : Ha ha Apple, it's now $120k to wipe.

    Crowdfunders etc : not so fast, here's $130k to wipe. Go on, do it.

    and so on.

    I will not make any facetious comment as to how often a Turk wipes.

    Whereas Paris,,,,,hmmm

  12. Oh Matron!

    2FA

    Enabled 2 factor auth. Painless and adds another level of security.

    1. paulf Silver badge
      Gimp

      Re: 2FA

      I didn't as I thought it through and hit a snag:

      If 2FA uses your iPhone to confirm logins what happens if you lose your iPhone? That's the one time you really need to login to iCloud very quickly from another device so you can do a remote wipe but it's also the one time you won't be able to complete the login because you've lost a main link in the 2FA chain! It's possible Apple have thought of this but I didn't find a way around it (happy to be corrected though).

      Apple email me if I sign into iCloud from a new device. I appreciate that isn't fully secure but they'd have to hack my email to stop me seeing that and the email is completely separate to any service provided by Apple.

  13. StuartCRyan

    Some tips for friends and family in the mean time.

    While time will tell the extent of this, I have been recommending the following to my friends (copied with minor edits to remove brand recommendation from https://www.facebook.com/stuart.c.ryan/posts/10154564151426973).

    As a precaution, here are some prudent tips:

    1. Log into your Apple Account at https://appleid.apple.com/ and enable two-factor authentication if you haven't already (see https://support.apple.com/en-au/HT204915) .

    2. While you are there, if you have not changed your password in a while, consider doing that too (https://support.apple.com/en-au/HT201355).

    3. As the threats include the threat of remotely wiping devices, you can disable this on each of your iCloud connected devices. See Macworld's good article on how to do this for each device type: http://www.macworld.co.uk/how-to/iphone/how-turn-off-find-my-iphone-remove-iphone-ipad-or-mac-from-find-my-iphone-3645302/ . Note that if you do this, you will also be unable to use the Find my iPhone/iPad/Mac feature. Until more details come out, personally I feel this is acceptable given the risk.

    4. When you are logged in at https://appleid.apple.com/account/manage, check to ensure there are no devices you do not recognise under 'Devices'.

    5. For the next few weeks, periodically do a local backup using iTunes of your iDevices. See https://support.apple.com/en-au/HT203977 and click on 'Use iTunes'. I recommend you also set a backup password, this encrypts the backup and stores additional information making a future restore easier.

    6. As always, BACKUP BACKUP BACKUP. For your Mac, I would already hope you have backups in place. If not make sure you do!

    Time will tell what will happen with these accounts, it never hurts to take a few prudent steps until the community at large knows more.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019