Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2014
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 5th, 2014

    10:17 am (UTC-7)   |    by

    The many announcements at Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals.

    Last week we got a concrete example of how some cybercriminals are now actively targeting Apple ID accounts. A thread in the Apple support forums was filled with users complaining that their devices had been locked, with a message from a certain “Oleg Pliss” demanding $100 to unlock the device. (The real Oleg Pliss is a developer for Oracle; his name appears to have been appropriated by the attackers.) Australian users appear to be the ones most affected by this attack.

    How was this attack carried out? It appears that the Find my iPhone feature was abused. An attacker with the victim’s Apple ID credentials would be able to log into the Apple site providing this service, send the ransom message to the user, and lock the phone.

    It’s unclear where the Apple ID credentials came from, but there are multiple possibilities. For example, we know that since last year phishing sites have tried to harvest Apple ID credentials. Reused passwords or social engineering may also have been used in this attack.

    How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult.

    We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users. For example, the introduction of HealthKit and HomeKit in iOS 8 may mean that even more intimate and personal information may be tied, directly or not, to the Apple ID.

    It’s a good reminder that despite Apple’s willingness to use mobile malware and vulnerabilities as a club against competitors, not all mobile threats can be so easily addressed and dismissed.

    Figure 1. Apple criticizing Android fragmentation

    So, what can users do? Our advice is similar to those for any other credential that needs to be protected:

    • Don’t reuse your password.
    • Use a secure password/passphrase.
    • Enable security features like two-factor authentication, if possible.

    To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals.

    To get the latest news on targeted attacks, visit Data Breaches page in Threat Encyclopedia.

    Posted in Mac | Comments Off on Hacking Apple ID?

    Last month, there was a very interesting decision out of the European Court of Justice. The decision established what can be called the “right to be forgotten“. People can now ask search engines like Google to remove links from search results about them.

    So, for example, say you are now a successful businessman. However, the first search results for your name is a slightly embarrassing incident that took place in your youth. Now, you can ask Google to “forget” about that incident so it won’t show up first when someone searches for your name.

    You can debate whether this is a good idea or not. Europeans like myself tend to think this is a good idea – after all, who else should control your data but you, right? Americans tend to look at it as a free speech issue. There is a cultural divide here that will not be easy to resolve.

    What it does teach us, though, is how much data there is out there about all of us. Our web browsing, our purchases, our personal information – it’s all out there in the hands of various companies. And what are they doing with it? There’s an adage that says that if you’re not paying for the product, you are the product. The real customers are advertisers who want to sell you whatever it is they’re selling.

    Now, some will say that this isn’t all bad. After all, don’t you get free services and more relevant advertising? How can this be a bad thing?

    It’s not necessarily a bad thing either. What it has to be is an informed decision by users – that they give up some of their data in exchange for some service of value to them. Today, it’s hard to say that is the case – too often, the allure of “free” trumps everything else, and people will give up data about themselves without being completely aware.

    Privacy is ultimately defined by what people decide to share or not. It remains to be seen what people decide should be made public and what remains “forgotten”, as it were.

    More of my thoughts on privacy can be found in the following video:

    Posted in CTO Insights | Comments Off on Privacy and the Right to be Forgotten


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice