Security & Privacy

Have you been hacked by Oleg Pliss? FAQ for iPhone and iPad users

Posted on by

iPhone, iPad and Mac users in Australia and New Zealand (and possibly elsewhere in the world) have been seeing a very strange message appear, demanding that they pay a ransom to regain access to their devices.

Here are answers to some of the questions.

What has happened?
For the last day or so, Antipodean Apple fans have been posting on the company’s support forum, asking how they can restore access to their iPhones, iPads and iMacs after a mysterious message appeared demanding a ransom be paid.

What did the message look like?
Part of the message was included in this photograph taken by the Sydney Morning Herald in its report.

Locked iMac. Image source: Sydney Morning Herald

Locked iMac. Image source: Sydney Morning Herald

“Hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this(Moneypack/Ukash/PaySafeCard)to [email address]”

How would you know if you were a victim?
You would no longer be able to access your iPhone, iPad or iMac as it would be locked by the same “Find my iPhone” technology that you can use if you mislay or have your device stolen.

Some victims reported that the message suddenly appeared on their devices in the middle of the night.

How did the attackers manage to lock other people’s devices?
There are a few possibilities.

  • It could be that the attackers have exploited a vulnerability to access Apple users’ accounts to trigger the “Lost iDevice” process, but that doesn’t explain why the vast majority of reports come from Australia and New Zealand.
  • It could be that the attackers broke into Apple’s systems and stole a database of usernames and passwords. But that wouldn’t explain why the majority of reports involve users in Australia and New Zealand.
  • It could be that the victims all chose really dumb Apple ID passwords, that were easy for the attackers to crack. But dumb password choices are not exclusively a challenge for Australian and New Zealand users.
  • It could be that the devices have been infected by malware – but that seems highly unlikely – especially as many affected devices aren’t jailbroken, and again wouldn’t explain why the vast majority of reports come from Australia and New Zealand.
  • It could be that the victims were all duped by a phishing campaign into handing over their Apple ID credentials – but it would have had to have been a very localised campaign to be so skewed towards Australian and New Zealand users.
  • It could be that another service – perhaps popular in Australia and New Zealand – has been hacked, revealing shared passwords that were also being used to secure Apple IDs.

Could Apple ID accounts have been better protected?
Although the precise details of what occurred are not yet clear, what is certain is that Apple users who use two-factor authentication to protect their Apple ID accounts will be better protected from being compromised.

Apple 2FA

Two-factor authentication (sometimes called two step verification) makes life much harder for hackers attempting to hijack control of your accounts and devices, as it means they require more than just your username and password. They also need a one-time password (OTP) that is sent to your device itself.

In addition, you can set up a 14-digit recovery key that you can print out and keep in safe place. Apple suggests you keep the recovery key to regain access to your account, or if you ever lose access to your devices or forget your password.

Who is Oleg Pliss?
We have no idea. But, of course, it’s extremely likely that it’s not the real name of the criminal behind this attack. (Unless they’re very dumb).

A quick search on LinkedIn reveals a computer scientist named Oleg Pliss. There is no reason to believe that he is behind the attack however. More likely this is mischief-making by the criminals.

How do the bad guys make money?
From the sound of things, they are asking victims to electronically transfer money to their email address.

A posting on the Apple Support forum says that the criminals gave a Hotmail address which they requested be sent funds via PayPal, but of course that account could belong to an innocent individual.

Apple Support forum

Similarly, Oleg Pliss might be the name of someone being framed by the criminals behind the attack. If that’s the case, it’s a little pathetic. My guess is that they’ve used the name as a joke.

Well, I’m not laughing. How do I restore access to my device?

The most important thing is not to pay any money to the criminals. That will only encourage them to launch further attacks, and there is no guarantee that they will unlock your device.

Instead, erase your device using Recovery Mode and restore from a backup:

  1. Disconnect all cables from your device.
  2. Turn off your device.
  3. Press and hold the Home button. While holding the Home button, connect your device to iTunes. If your device doesn’t turn on automatically, turn it on.
  4. Continue holding the Home button until you see the Connect to iTunes screen.
  5. iTunes will alert you that it has detected a device in recovery mode. Click OK, then restore the device.

You may also find this Apple support knowledgebase article useful.

Afterwards, enable two-step verification for your Apple ID (if available in your country), and ensure that you are never re-using passwords on the internet.

What else?
Follow the discussion on the Apple Support community forum for updates from other affected users.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →