Apple has fallen victim to extortionists. It’s a very strange story that began as a farce, but now it doesn’t look so clear-cut. A group of hackers calling themselves Turkish Crime Family , initially claimed 559 million iCloud and Apple ID accounts were stolen – and demanded that Apple pay $75, 000 in Bitcoin or Ethereum, or $100, 000 in iTunes gift cards. The deadline was April 7. After that, hackers will allegedly start "killing hostages, " meaning resetting accounts to factory settings.
It looked pretty funny at first. It seems to be the first case of extortion from a computer company, where the attackers regard the user password database as a kind of "hostage. They even published a threatening video on YouTube of them logging into some old lady’s iCloud account.
On March 21, 2017, hackers contacted Motherboard and showed the correspondence with Apple’s security department and gave access to the email account from which the correspondence was conducted. The correspondence was from about 10 days ago. The security officer asked the hackers for a sample of accounts to check. He also asked them to remove the YouTube video first so as not to make the conflict public. And warned that the company was not paying criminals for breaking the law, and that a copy of their correspondence would be sent to law enforcement.
Apparently, after that the hackers stopped communicating with the security department and decided to go public after all. Probably, they contacted not only Motherboard, but also other media outlets. In fact, Computerworld also told about Turkish Crime Family’s claims, with the hackers already talking about 627 million iCloud accounts with passwords. Allegedly a friendly hacker group stepped in and provided its base. Accordingly, the ransom amount now increases from $75, 000 to $150, 000 in Bitcoin or Ethereum.
An Apple spokesperson confirmed to Motherboard at the time that no payment was out of the question, and that the list of email addresses with passwords was probably obtained from outside sources. There are a lot of different password databases floating around the Internet. However, the number of passwords in the database is impressive. 627 million passwords are difficult to collect from third-party databases. In communication with Computerworld, the "Turkish" ransomware claimed that more than 220 million passwords were verified and gave access to iCloud without two-factor authentication. The hackers said they verified many passwords using automated scripts and a large number of proxies to avoid Apple locking them out.
The story began rather amusingly, but the insolence and persistence of the extortionists is truly surprising. They act so confidently, as if they really had such a base.
Further, the "Turkish" hackers told Computerworld that they were doing so in part to spread the word about Karim Baratov, a Canadian citizen facing a large prison sentence in the United States. U.S. authorities accuse him of breaking into Yahoo’s infrastructure and stealing the database of 500 million accounts at the request of two FSB officers (the hacking did take place, but Baratov’s involvement has yet to be proven in court).
At the same time, Apple officially stated in the media that there was no hacking and it is not going to pay anything. If the hackers have any passwords, they came from compromised accounts from third-party sources.
On March 23, the group published Pastebin statement in which they outlined the current situation and their intentions. The hackers said that no one ever said anything about a hack, so Apple’s statement makes no sense. There really was no hacking, but that doesn’t change the claims of Turkish Crime Family. They say they’ve been collecting Apple accounts from various databases for five years. Now they allegedly have a database of 750 million accounts (numbers are growing – ed.), of which 250 million have been validated, and the scanning continues. Hackers are saying they’ve been re-scanning the database and changed the first letter of passwords into uppercase letters, significantly increasing the validity of the passwords compared to the first scan.
In a statement, Turkish Crime Family warned that starting April 7, 2017, their scripts will start resetting 150 accounts per minute per script to factory settings. Right now, the hackers’ server allows 17 scripts to run, so each server will be deleting 2, 550 users every minute. With 250 servers, that means 637, 500 accounts per minute or 38, 250, 000 accounts per hour.
Hackers keep mentioning older users. They probably hint that many Apple users won’t be able to change their passwords and protect themselves from intruders until April 7.
Meanwhile, ZDNet journalists got their hands on 54 accounts allegedly from the iCloud account database – and they all turned out to be valid Journalists were able to contact the owners of 10 of the 54 accounts. They confirmed the passwords were correct and changed them. All of them are residents of the United Kingdom. All of them also said they had never changed their iCloud passwords since opening their accounts. Many used the same password on different services, although three said they had a unique password on iCloud (probably lying – ed.).
Of course, that doesn’t tell us much. Maybe the hackers don’t have anything else at all except those 54 passwords. Plus, those were some pretty old accounts. icloud com, as well as the very ancient @me.com and mac com.
Either way, Apple has several options for protecting its users from a mass reset of accounts to factory settings.