Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.
Could tomorrow (April 7, 2017) be a day that goes down in cybercrime infamy?
An alleged group of hackers claim to have access to as many as 750 million Apple accounts, and are threatening to remotely wipe Apple devices at 7 p.m. GMT on Friday unless they receive a ransom of $700,000 from the company. Apple has responded saying their systems have not been breached. So is this threat of an Apple-pocalypse a legitimate hack, or a hoax?
I tracked the timeline of this alleged hacking and spoke to two cybersecurity experts for more insight on whether the data of Apple users is really being held hostage.
On March 21, the story first broke when Vice Magazine’s Motherboard site reported that a group calling themselves the Turkish Crime Family had provided them with screenshots supposedly showing an email exchange between themselves and Apple’s security team.
The group told Motherboard they had access to 300 million Apple email accounts (later they said it was 559 million) and wanted $75,000 in Bitcoin or Ethereum cryptocurrency, or $100,000 in iTunes gift cards, in exchange for the data, or devices would be wiped.
The alleged hackers provided Motherboard’s Joseph Cox with access to the email account they were apparently using to communicate with Apple’s security team, which Cox confirmed contained email exchanges with someone from an @apple.com domain name discussing the compromised data.
Motherboard also found evidence on the email account that the group had reached out to several other media outlets.
“That hackers could get hold of data and even try to extort money from firms is not news,” said Rahul Telang, a professor of information systems and management at Carnegie Mellon University's Heinz College, in an interview with Forensic Magazine. “But the way (these) hackers are publicly announcing their tactic and plans makes it unique.”
On March 22, reporter Lucian Constantin from IDG News Service wrote on several of IDG’s news sites, including CSO, PCWorld and Macworld, that the Turkish Crime Family told him via email their goal was to bring attention to the prosecution of Karim Baratov and Kerem Albayrak, who are currently detained in the U.S. for alleged involvement in the 2014 Yahoo hack that compromised 500 million accounts.
One member of the group originally told Motherboard, “I just want my money.”
“It’s clear they’re trying to make money to fund their organized crime ring,” Vice President of GreyCastle Security Dan Didier told Forensic Magazine. “There is a tactic with ransomware attacks in which the hacker asks for small amounts of money, sometimes as low as $100, and as soon as the victim pays, the hacker negotiates for more money. This could be what the Turkish Crime Family is attempting to do.”
Constantin reported that the group was then claiming to have access to over 627 million accounts, and demanding a $150,000 ransom from Apple.
The same day, Fortune reported Apple’s statement that, “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID.”
Apple further said they were “actively monitoring to prevent unauthorized access to user accounts” and “working with law enforcement to identify the criminals involved.” According to the Apple statement, credentials provided by the alleged hacking group actually came from earlier third-party breaches.
Didier calls Apple’s reaction a legitimate response.
“We do know that the hackers are not very well assembled because their stories haven’t been straight throughout the whole process,” Didier notes.
On March 23, the Turkish Crime Family again changed the number of accounts to 750 million and shot the ransom up to $700,000, saying in a post to the text storage site Pastebin, as reported by ZDNet, that they wanted $100,000 for each of the seven members of the group.
They also provided ZDNet with a list of 54 credentials, all of which were determined to be from real Apple accounts and 10 of which were officially confirmed correct after ZDNet reached out to the owners of the accounts.
On March 28, ZDNet reported receiving a new set of 70,000 more credentials and verified that at least 12 of them were accurate, but also found that most of the accounts could be linked to previous breaches: the breaches of music site last.fm and social networking site LinkedIn in 2012, and the June 2016 breach of the gaming site Evony.
ZDNet’s Zack Whittaker called the group “naive and inexperienced” based on his interactions with them. It wasn’t long before media outlets began calling the situation a hoax, with technology news network The Verge calling it “the leak that cried wolf.”
But Telang and Didier say that even if the supposed hackers have much less data than they claim, users should still be cautious as the April 7 deadline looms.
“This group has shared a list of 100 accounts, so we know they at least have some data, which provides them with a bit of credibility,” said Didier. “The problem is they’re claiming to have around 559 million accounts. Showing they have 100 accounts is nothing compared to the millions they claim to have—it raises the question of whether or not they actually do have that many.”
“They might still have access to a smaller (though still substantial) set of data,” Telang noted. “There is a good chance much of this data must be with old accounts.”
Both experts offer specific advice for securing one’s account.
“You should immediately change your password and enable two-factor authentication (otherwise known as 2FA)—not to be confused with two-step verification, which is very common with Apple,” Didier said. “This will destroy the hackers’ leverage because your account is not susceptible anymore.”
“Make sure you have back up for the content on your iCloud account or preferably delete any sensitive information as precaution,” Telang adds. He also suggests changing one’s passwords on non-Apple sites, if they use the same credentials for multiple sites.