iCloud users in China under attack. But who could be after their passwords?

Earlier this week, an organisation that monitors internet censorship in China reported what appears to have been a concerted effort to steal the login credentials of Apple iCloud users.

According to a report published by Greatfire, a man-in-the-middle (MITM) attack was being conducted against Apple customers in China, intercepting attempts to visit the iCloud.com website.

If Chinese users are running a half-decent browser, it should display an invalid certificate warning when visiting icloud.com, but there is always the danger that some people would ignore the message and carry on regardless.

If successful, the attack could have resulted in unauthorised parties accessing any data stored on iCloud by victims, such as iMessages, address books and photographs.

iCloud warning

“What should users do to counteract this attack? Internet users in China should first use a trusted browser on their desktops and mobile devices – Firefox and Chrome will both prevent users from accessing iCloud.com when they are trying to access a site that is suffering from a MITM attack”

Greatfire noted that the attack was “nationwide” and coincided with the launch of the newest iPhone in China.

The obvious question is – who is behind the attack?

In Greatfire’s point of view, the answer was obvious: the Chinese authorities. However, it did not provide evidence linking the Beijing government to what seems to have been a rather crude attempt to steal usernames and passwords.

Furthermore, the claim has been robustly denied by China:

“China is resolutely opposed to hacker attacks in all forms and China itself is a major victim of cyber attacks.”

So, was it the Chinese or not? Frankly, it’s very difficult to say with complete certainty.

Although there is no doubt that many would consider China to be the most likely beneficiary of snooping on iCloud users in the country (especially with the current pro-democracy protests taking place on the streets of Hong Kong), it is also clear that common criminals – in China or other countries around the world – would equally relish snaffling up such data.

Apple has since published an advisory for customers, warning that it is aware of “intermittent organised network attacks” on its iCloud service, and offering advice on how users can protect themselves.

The Cupertino-based technology company was at pains to underline that it was not its own servers that had been hacked (which will be a relief to Jennifer Lawrence I’m sure) and that not all users were at risk:

These attacks don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.

The advisory from Apple, whose CEO Tim Cook met up with Chinese Vice Premier Ma Kai this week to discuss the protection of user data, explains how to make sure that you are accessing the authentic site when using Safari, Firefox or Chrome.

However, I would go further than checking for green padlocks in browser bars and examining whether a connection is secured or not. I would advise also enabling two step verification on your iCloud account.

Apple 2FA

The great thing about two-step verification (also commonly known as two-factor authentication, or 2FA) is that it can help protect your data, even if your password is stolen by a criminal.

Furthermore, if you can access the internet by a VPN that hides your true location that isn’t a bad idea at all. The attack described by Greatfire above redirects people connecting to iCloud from China, redirecting them to a bogus login page before finally taking them to the real thing. If you can disguise the fact that you’re in China, you take yourself out of the equation.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.