The attack appears to work by compromising iCloud accounts associated with the disabled devices, according to an Apple support forum discussion that started Sunday morning and quickly accumulated several hundred posts. Commandeered devices typically emit a loud tone that's associated with a feature that helps users locate lost or stolen devices. iPhones and iPads also display the message: "Device hacked by Oleg Pliss. For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to email:lock404@hotmail.com for unlock." In some cases—specifically, when a user hasn't assigned a strong passcode to a locked device—it can only be unlocked by performing a factory reset, which completely wipes all previously stored data and apps. The mass compromise is a variation on so-called ransomware scams, which initially targeted Windows PC users and earlier this month was found targeting smartphone users running Google's Android OS.
The forum accounts provide strong evidence that victims' Apple IDs and passwords have been compromised so that attackers can remotely lock connected devices using Apple's Find My iPhone service. But so far it remains unclear exactly how the attackers are compromising the iCloud accounts. While it's possible the hijackers used phishing attacks or hacked password databases to obtain the credentials, those explanations are undermined by the observation that the vast majority of victims were located in Australia and reported using a variety of e-mail providers. Typically, phishing campaigns and database compromises involving multiple providers affect users from more geographic regions.
DNS poisoning?
GOOGLE, MICROSOFT, PAYPAL, OTHER ROMANIAN SITES HIJACKED BY DNS HACKERS
Incident is one of several DNS hacks to strike in recent weeks.
One participant in the online discussion theorized the mass compromise may have been the result of hacking domain name system (DNS) servers used by Australian service providers to translate human readable addresses such as Apple.com into the IP addresses Internet routers rely on. Such an attack, which has yet to be confirmed in this case, works by "poisoning" the lookup tables of DNS servers so they secretly direct people to impostor sites. Assuming this technique was at play in the iPhone and iPad locking, affected users who entered a password on what appeared to be Apple's site could have unknowingly provided it to the people behind the attack.