Page 2 of 3
Turkish hackers are threatening to erase millions of iCloud user accounts unless Apple pays a ransom.
This is a weird story, and I’m skeptical of some of the details. Presumably Apple has decided that it’s smarter to spend the money on secure backups and other security measures than to pay the ransom. But we’ll see how this unfolds.
This is a harrowing story of a scam artist that convinced a mother that her daughter had been kidnapped. More stories are here. It’s unclear if these virtual kidnappers use data about their victims, or just call people at random and hope to get lucky. Still, it’s a new criminal use of smartphones and ubiquitous information.
Reminds me of the scammers who call low-wage workers at retail establishments late at night and convince them to do outlandish and occasionally dangerous things.
The New York Times Magazine has a good story about swatting, centering around a Canadian teenager who did it over a hundred times.
Tox is an outsourced ransomware platform that everyone can use.
A drug dealer claims that the police leaned him over an 18th floor balcony and threatened to kill him if he didn’t give up his password. One of the policemen involved corroborates this story.
This is what’s known as “rubber-hose cryptanalysis,” well-described in this xkcd cartoon.
So far it’s resisting.
Evernote and Deezer are also suffering attacks. I haven’t seen anything linking the three different victims, and the other two have not said anything about extortion demands.
Luis “Guicho” Mijangos, “sextortionist.”
If you allow players in an online world to penalize each other, you open the door to extortion:
One of the features that supported user socialization in the game was the ability to declare that another user was a trusted friend. The feature involved a graphical display that showed the faces of users who had declared you trustworthy outlined in green, attached in a hub-and-spoke pattern to your face in the center.
[…]
That feature was fine as far as it went, but unlike other social networks, The Sims Online allowed users to declare other users untrustworthy too. The face of an untrustworthy user appeared circled in bright red among all the trustworthy faces in a user’s hub.
It didn’t take long for a group calling itself the Sims Mafia to figure out how to use this mechanic to shake down new users when they arrived in the game. The dialog would go something like this:
“Hi! I see from your hub that you’re new to the area. Give me all your Simoleans or my friends and I will make it impossible to rent a house.”
“What are you talking about?”
“I’m a member of the Sims Mafia, and we will all mark you as untrustworthy, turning your hub solid red (with no more room for green), and no one will play with you. You have five minutes to comply. If you think I’m kidding, look at your hub-three of us have already marked you red. Don’t worry, we’ll turn it green when you pay…”
If you think this is a fun game, think again-a typical response to this shakedown was for the user to decide that the game wasn’t worth $10 a month. Playing dollhouse doesn’t usually involve gangsters.
EDITED TO ADD (12/12): SIM Mafia existed in 2004.
This is bad:
On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:
“I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”
Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site’s homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.
[…]
Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.
More. This doesn’t seem like a professional extortion/ransom demand, but still….
EDITED TO ADD (5/13): There are backups, and here’s a Q&A with details on exactly what they were storing.
In Mexico:
Also Tuesday, the Senate voted to create a registry of cell phone owners to combat kidnappings and extortions in which gangs often use untraceable mobile phones to make ransom demands.
Telecoms would be required to ask purchasers of cell phones or phone memory chips for their names, addresses and fingerprints, and to turn that information over to investigators if requested.
At present, unregulated vendors sell phones and chips for cash from streetside stands. It is unclear how such vendors would be made to comply with the new law.
How easy is it to steal a cell phone? I’m generally not impressed with security measures, especially expensive ones, that merely result in the bad guys changing their tactics.
Sidebar photo of Bruce Schneier by Joe MacInnis.