Hackers struggle to get iCloud threats straight

Confusion abounds over a threatened iCloud hack as the attackers' April 7 deadline draws closer, and security experts are increasingly doubtful whether the claims made by a group known as the Turkish Crime Family are at all legitimate.

Last week the group claimed it had access to hundreds of millions of iCloud accounts that it would reset on April 7 if it did not receive a ransom payment of tens of thousands of dollars from Apple.

The claims were largely treated with suspicion, but did not fail to raise the eyebrows of many in the security industry.

“If this is proven to be a legitimate breach the consequences for Apple and its millions of users would be far reaching," David Kennerley, director of threat research at Webroot, said.

“There's a lot of questions that need to be answered such as: do these hackers really have access to the data they claim? How did they get hold of such a large amount of data? Was it a vulnerability in Apple's infrastructure or breach of a third-party tool or organisation?”

Security researcher Troy Hunt thinks the group is probably reusing credentials from other large dumps and attempting to extort Apple with it.  

Apple agrees.

"There have not been any breaches in any of Apple's systems including iCloud and Apple ID," Apple said in a statement.

"The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

Paul Calatayud, chief technology officer at FireMon, said he believed the claims were accurate but "most likely not caused by Apple”.

“If my email account happens to be from Yahoo, and that account is affected by the breach that just occurred, then there is a chance that the attackers are already able to compromise other accounts I hold such as my Apple ID," he said.

Shuman Ghosemajumder, CTO of Shape Security, said he thought that the group were using “credential stuffing attacks”.

By taking the data from a large breach and throwing an untold bounty of password/username combinations at Apple accounts, the group may end up with enough cracked accounts to pose a significant threat.

Consistent messaging

Meanwhile, the group has had a hard time putting out a clear message.

It was first reported the group was holding hundreds of millions of iCloud accounts to ransom for US$75,000 (A$98,000). The group later told press that it had been upped to US$150,000.

An email to press a couple of days later said the group wanted US$100,000 in bitcoins each for the seven members of the group, or alternatively, US$1 million of iTunes vouchers.

The number of accounts the group is capable of wiping also seems to be unclear. The first disclosure said the group was in possession of 519 million sets of credentials for which it threatened to wipe 220 million accounts.

The number of credentials then jumped to 627 million, and later to 717 million.

The latest message said the group is in possession of “800 million iCloud accounts”.

The group has also now disavowed its claim that iCloud was breached; instead it asserts another Apple product was breached. No further detail is provided.

Confusion and opportunism

It has not been verified whether any of the parties claiming to represent the group are legitimate, but what is clear is that confusion reigns when trying to establish a clear picture of what the Turkish Crime Family wants and what it is threatening.

The group's actions also appear to have spurred Windows tech support-style scams from scammers leeching off the publicity that has surrounded the incident.

Such scams typically involve a phone call from someone pretending to be defending from an attack, or fixing a problem with a computer or account. Knowledge of the recipient's credentials or personal details often con people into thinking the caller is legitimate.

Prospective victims are then asked to either give away important information or make changes on their computer, which often gives the con artists access.

Apple has notified users of this kind of scam and warned them to be aware of unsolicited phone calls which claim to come from Apple employees or support representatives.

This article originally appeared at scmagazineuk.com