Cybercrime is a business. Professional criminals refine their processes, measure performance, and regularly evaluate the return on their investments. Every move is strategic. We see this time and time again with ransomware campaigns and throughout the underground.
Which is why the latest report from Joseph Cox at Motherboard is mind boggling. Joseph brings us the story of a hacker(s)—it’s unclear if there’s more than one, I’ll use the plural for simplicity—who are attempting to extort Apple into paying $100,000 for the “recovery” of millions of iCloud account.
Media As A Weapon
Criminals are notoriously reluctant to speak to the press. Why would you commit a crime and then advertise it to the world? Either you don’t think you’re going to get caught or—as in this case—you are trying to apply pressure on your victim, forcing them to take action.
The hackers in this case have set an April 7th deadline for Apple to pay up. If Apple doesn’t, the criminal(s) are threatening to reset the accounts and wipe devices connected to them.
The idea here is that public pressure generated through media coverage will force Apple’s hand. That is extremely unlikely for a number of reasons.
Digital Not Physical
In the physical world, this crime would make more sense. Criminals would ransom an item (like a painting) and if the victim paid up, they would give the item back. Since these are digital accounts and the criminals claim to have access to them, this is closer to extortion.
Again in the physical world, this would be something akin to criminals requiring money monthly to “protect” your business. In the digital world, the pressures that make victims pay (e.g., keeping your store in one piece) don’t apply.
With iCloud accounts, Apple has the ultimate safety valve…they control the infrastructure behind the accounts. Which removes most of the pressure points the criminals could use.
If this is in fact a legitimate threat and the hackers have the credentials for millions of iCloud accounts, Apple has any number of options available to them. From restricting new logins to creating unique resets for each account, each of these measures will frustrate users but Apple has a great track record on security and privacy and has probably earned a bit of goodwill.
Especially when the flip side of that is submitting to criminals who are just as likely to double/triple dip on these accounts and sell them on the underground.
And that’s where this starts to fall apart. The criminals are demanding $100,000. If we look at prices in the underground for other media accounts—I don’t have current data on iCloud account resale—we see that prices range from $2 for Spotify up to $5 for a Netflix account (pg. 16 in our North American Underground paper ).
If the criminals do in fact have access to 300 million accounts (the lowest number they stated), that could be worth millions on the underground. Why ransom them for only a $100,000?
There’s a lot here that simply doesn’t add up.
The decision to pay or not pay is entirely up to Apple. They need to evaluate the risk, decide if this is real or not, and then make a call.
As a user, there isn’t much you can do about that. But there is a critical step that you can take right now to protect yourself. Turn on two-factor authentication for your iCloud account (and Facebook, Twitter, and Google while you’re at it).
It only takes a minute and couldn’t be simpler. Just visit this support article and follow the steps provided.
Now even if an attacker has you username (which is basically public) and password (which should be unique and private), they won’t be able to login to your account. They need the unique, temporary code generated by the two-factor authentication.
This is a smart step to help secure any account you have that supports multi or two-factor authentication.
With that step taken, you’ll also want to ensure that you’re using a password manager. This is a tool that lets you set a long passphrase (the easiest way to get a strong password) that unlocks the manager which will, um, manage all of your other passwords for you. This way you can have a unique password for every site out there with minimal hassle.
And that’s important because most of the time when issues like this one arise, the criminals have gotten the credentials (your username and password) from another site that was hacked. Almost without fail, the first thing hackers do when they get a new set of credentials is to test them out on other popular services.
Having a unique password managed by a password manager lets you contain any issues to a single site and not unnecessarily expose your other accounts.
Come April 7th, I don’t expect to see any issues with iCloud but enabling two-factor authentication now will make sure you account is safe and sound.