I've seen an increasing number of recent reports of Apple users' accounts being compromised and have good reason to suspect these attacks are connected to a major data breach dating back to 2013. This article is a quick write-up of my findings since I plan to distribute this explanation to all of the relevant forum threads (saves me writing it up each time!).
The Attack
In all cases, victims receive an e-mail from Apple notifying them of access to their account via a device to which the account has no previous association. This e-mail is a legitimate e-mail and, contrary to first impression, is not a cheap phishing attempt. Following this unauthorised access, the attackers then send multiple (potentially hundreds) of messages from the victim's account. Due to Apple's messaging fallback (i.e. if an IMessage can't be sent, an SMS will), this has the potential to run up a substantial amount of phone charges since, in all cases, the messages have been sent to international recipients.
How
A good friend of mine fell victim to this attack but isn't someone who'd typically fall for a phishing attempt, or install some dodgy malware. Checking various leaked source sites, I could see that her e-mail had been included in the infamous MySpace database breach back from 2013 (but nowhere else). The DB from this leak had been put up for sale earlier this year, which explains the time gap.
I verified that both her e-mail and password that appeared in the MySpace DB did in fact match the credentials used for her imessage account, and verified the same for a second victim I spoken to.
How to Defend Against it
First things first, get your Apple account password changed, and change it regularly. Also, you have no reason not to use two-factor authentication if available. If you have a password that dates back to 2013 or earlier, you're a lot more likely to run into security issues.
If, out of curiosity, you want to see if your credentials appeared in this DB (and many others), you can use Leaked Source and run a search.
MySpace stored everybody's password hashed with SHA1, with no salt! They took the first 10 characters of your password, convert the result to lower case, and hashed it. SHA1 is yet to be cracked, but if your password is a typical 'word123' type format, it's trivial to run it by a dictionary - which is what I believe the hackers in this case did (judging by the 2 passwords I've seen). So, use a more complex password with a healthy mix of non-alpha-numeric characters.
This MySpace DB is now available to download. https://myspace.thecthulhu.com/ Please check your local law prior to downloading and interrogating this database.
Caveat
In both (totally independent) cases, what I've said above stands true - the credentials matched those in the MySpace leak. It's pretty impossible for me to say if these attackers have access to other leaked data sources or means of obtaining passwords - this is just my best, most informed guess. I'd be very interested to hear if I'm wrong on this, leave any further info in the comments.
I was hacked yesterday and I have never had a MySpace Account.
ReplyDelete