A lot of people love to play poker for the thrill and entertainment of sheer luck. For some, however, it’s more of a game of skill. One where you can discern the intent of your competitors by reading their faces and tics and betting on whether they have the cards they say they do. It can be fun and challenging for those who reach that level of play. Some cybercriminals, however, are playing poker with Apple, or more specifically, with iCloud. And it appears the company is calling their bluff.
The Turkish Crime Family, a cybercriminal group claiming it acquired a trove of iCloud account details, is demanding Apple surrender the equivalent of $75,000 USD in Bitcoin or $100,000 in iTunes gift by April 7th or they will begin remotely wiping consumer iPhones. This is theoretically possible because iCloud offers its users the ability to remotely wipe devices in the event a device is lost or stolen. Sounds a little scary, but there are a few signs suggesting that this group isn’t as threatening as they’d like to appear. In fact, it appears they’re just making things up as they go along.
The first clue is that the cybercriminals are inconsistent in the size of their own breach. According to Motherboard, which broke the story, the size of the apparent breach ranges from 250 million iCloud and .me accounts to 300 to 550 million. The second clue is the ransom. Depending on which member of the group is talking, the ransom ranges from $75,000 to $700,000 in Bitcoin, both of which are pretty small given the apparent size(s) of the supposed breach.
Both of these clues are strong indicators that the Turkish Crime Family doesn’t measure up to its own claims. But it doesn’t mean users aren’t at risk. It’s possible these cybercriminals do have access to thousands, if not millions, of Apple accounts. How? It’s simple: they took the stolen account information from other massive breaches and applied them to Apple’s iCloud ecosystem. Basically, they’re using other cybercriminal work to extort their own ransom.
This method, where crooks reuse credentials that’ve already been breached, is known as “credential-stuffing” attacks. It’s fairly common and can be damaging if you constantly reuse the same username and password across different accounts.
So how can you secure yourself from a credential-stuffing attack? For starters, use unique usernames and passwords (at least eight characters long using both upper and lower-case letters, numbers and symbols) for every account you create. But beyond that, here are a few more tips that will help you lock down your accounts.
- Regularly change your important passwords. We all have accounts that are more important to us than others. Apple iCloud accounts and Google Gmail are two examples. When you have an important account, you need to remember to regularly change the account password to head-off any credential-stuffing threats. We recommend you change these passwords every six months.
- Set up multi-factor authentication. Multi-factor authentication is a technique that drastically improves your security posture. It does so by challenging users to both provide something they know (like a password) and prove they have a trusted device (like a smartphone) in their possession. Multi-factor isn’t foolproof, but it does make it extremely difficult for even the most competent cybercriminal to compromise accounts. Check your applications and services to see if multi-factor authentication options are available.
- Use a password manager. Password managers do three things: first, they provide you with complex passwords for you to use; second, they store your complex passwords so you don’t have to remember them; third, they securely sync between your devices so you can have your passwords when and where you need them.
- Ignore suspicious phone calls, emails. One unfortunate side effect of breaches like this are other scammers trying to take advantage of the fear and uncertainty surrounding the situation. Most of these scammers do so by making spam phone calls to potential victims and requiring a fee to “fix” whatever has gone wrong. Never fall for this trap. Major companies will not call your phone. If you’re uncertain, hang up and wait until a company issues a statement on their website or in a reputable news source.