Apple Technician/Security Researcher
November 27, 2016
Ransomware Made Easy
Stealing for the social engineer
Mac’s get viruses. There, I said it. It’s true. Malware, adware, viruses, ransomware, the whole kitchen sink is available to Apple devices. I see it all day, every day. There is your first debunked myth.
Recently, I saw a case of what I believe to be the easiest, most simplistic form of ransomware possible, but before we jump into ransomware, I’ll quickly breakdown what ransomware is. Ransomware, which similarly to most security issues is most common on PCs, but is 100% possible on an Apple machine. Ransomware, at its core, is hijacking a person’s computer, encrypting the data, then requiring that person to pay the hacker a specified amount of money to get the encryption key (a code or password) to decrypt the data. This seems like a difficult task from a hacker’s perspective, to hack into someone else’s computer, encrypt all of their data, contact that person to ask for payment, receive payment, then provide a passcode to decrypt the information. And you know what, it is. It is extremely difficult, which is why it is so rare.
It wasn’t until March 6, 2016, when Palo Alto Networks revealed their findings of Apple’s first-known ransomware, titled KeRanger. It was quickly picked up by many of the large security companies, some of which include the aforementioned Palo Alto Networks, Malwarebytes, Kaspersky, Sophos, and others.
This brings me to my main objective of this paper - to explain a much more simple way to either create ransomware or infect another’s machine with ransomware.
iCloud is so beneficial in so many different ways, but for this paper, we’ll refer to it in its computer form. iCloud helps you backup your data wirelessly, sync documents and contacts across different Apple devices, and one of the most notable iCloud features, FindMyMac.
FindMyMac allows you to geolocate your computer if it is stolen, ping it if it is lost, and PIN-lock the machine to keep any information from being stolen from a thief. One sub-feature of PIN-locking your machine is the ability to put a message across the display. That message could easily read, “Please send (insert money amount) of (US Dollar, Euro, Bitcoin) to (email address).”
Fortunately, a PIN-lock isn’t the worst thing that could happen. It is possible to maneuver around a PIN code, however, for this you will need to extract your hard drive, and mount the drive to a different system (assuming that you do not have FileVault/disk encryption enabled) to access your data.
This feature, FindMyMac, could potentially allow a hacker to lock your computer, and require you to send money to the hacker in order to unlock your computer via the PIN code that the hacker created. The only thing the hacker needs to do is to get into your iCloud account. It should be hard, right? I mean, come on, it’s Apple! It’s actually easier than you think. Let’s start hacking.
I’ll take on the role of the hacker:
First item I would need to hack an iCloud account is a person’s email, which surprisingly enough, is actually the most difficult piece of the puzzle. Luckily for me, the hacker, many people post their email to their Facebook page, so all I would have to do is be Facebook friends. If not, there are many different avenues to acquire it - Twitter, LinkedIn, Google, etc. For the sake of argument, let’s say that this person didn’t post their email to their profile, how would I find it?
Most people keep their email address simple, memorable, and from a reputable provider. The easiest four emails a person will have is the following: email@example.com, firstname.lastname@example.org, email@example.com, and finally firstname.lastname@example.org. How many people can attest to this?
So I go to the Apple ID website, and click Forgot Password, even though I don’t know the email yet. If I enter an email that doesn’t exist, Apple is kind enough to share that with me. With the process of elimination, you can typically lock in someone’s Apple ID/iCloud email relatively quickly. Once Apple tells me I have an existing email, it allows me two options - to either email me a password reset link OR answer the security questions. Again, enter social media.
Apple offers a selection of security questions and does not allow you to create your own. Some of these questions include What is your mother’s maiden name, what was the name of your first pet, and what was the name of your best friend in high school. You would think that with specific questions like these, it would be hard to gather those answers. Well let’s take a stab at them.
What is your mothers maiden name - quite possibly the easiest question to answer. I would find the person I’m hacking’s Facebook page, then in turn, find their mother’s Facebook page. Is your mother like mine - has her name as FirstName MaidenName LastName on Facebook? There’s answer number one.
Questions two and three are nearly as simple if you use someone’s photographs. Most often, people have photos of their best friend or pet, and sometimes, the pictures go back many years. In those pictures are your answers to the other questions. I get these answers, I’m in the victims iCloud account. Once I’m in the person’s iCloud account, I can do a multitude of destructive tasks - I can change their password, find their contacts list, notes, sometimes photos, AND last but definitely not least, PIN-lock their machine and demand money for the PIN code.
When most people hear the word hacker, they think, “It won’t happen to me,” and to be honest, a deliberate attempt to steal your information are relatively small odds. However, no one is immune. In the recent years, we have seen multiple celebrities get their iCloud accounts hacked. We saw a Presidential candidate’s email get hacked, as well as the email of the entire Democratic National Committee. Let’s not forget some of the biggest hacks of all time, including HBGary, Sony, Yahoo, AshleyMadison, Stuxnet, the Department of Defense, and on and on. I’m not saying you will get hacked, I’m simply saying you could.
So now that you’re likely thoroughly creeped out, as well you should be, you may be wondering how you prevent something like this. There are a few easy steps to take to make this brutally difficult, if not impossible for an impending “hacker.” The first steps is called Two-step Authentication. This means that to reset your password, you have to first enter a code that you receive on directly to your cell number. Not only will this deter someone from trying to hack your account, if they try to reset you password, it will indeed alert your cell phone. Two-Step Authentication makes it much more difficult to access a person’s iCloud account, and taking the time to set up Two-Step Authentication will help you avoid a potentially devastating situation.
The second step is choosing hard to guess security questions. Don’t pick questions that are simple to guess. Try to be unique or original with the answer, and don’t pick the questions that are easiest to remember. Although your answer may be difficult to remember, that probably means its a little tougher for someone else to guess, which is what cracking iCloud boils down to - educate guessing with social media clues.
Finally, pick a password that isn’t easy and try to change it periodically. Avoid using simply numbers like your birthday/birth year. Try to make it a tough password that only you could guess. If the thought of, “I don’t need to write this down,” doesn’t cross your mind, you should probably aim for a more difficult password.
My best recommendation is to log on to your Apple ID at appleid.apple.com, and turn On Two-Step Authentication. While you're at it, update your security questions, possibly change your password, and keep your information safe.
Good luck, and safe browsing.