A large number of people, mostly located in Australia, are reporting they have come under an unexplained attack that holds their iPhones and iPads hostage and demands they pay a $100 ransom.
The attack appears to work by compromising iCloud accounts associated with the disabled devices, according to an Apple support forum discussion that started Sunday morning and quickly accumulated several hundred posts. Commandeered devices typically emit a loud tone that's associated with a feature that helps users locate lost or stolen devices. iPhones and iPads also display the message: "Device hacked by Oleg Pliss. For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to email:[email protected] for unlock." In some cases—specifically, when a user hasn't assigned a strong passcode to a locked device—it can only be unlocked by performing a factory reset, which completely wipes all previously stored data and apps. The mass compromise is a variation on so-called ransomware scams, which initially targeted Windows PC users and earlier this month was found targeting smartphone users running Google's Android OS.
The forum accounts provide strong evidence that victims' Apple IDs and passwords have been compromised so that attackers can remotely lock connected devices using Apple's Find My iPhone service. But so far it remains unclear exactly how the attackers are compromising the iCloud accounts. While it's possible the hijackers used phishing attacks or hacked password databases to obtain the credentials, those explanations are undermined by the observation that the vast majority of victims were located in Australia and reported using a variety of e-mail providers. Typically, phishing campaigns and database compromises involving multiple providers affect users from more geographic regions.