sciencetech-blog

comments

Security experts have discovered emails and texts (scam message pictured) pretending to be from Apple, warning users about unauthorised access to their accounts

In the wake of claims an Apple iCloud flaw may have been to blame for leaked celebrity photos, scammers have jumped at the chance to use the reports to their advantage.

Security experts have discovered emails and text messages purporting to be from Apple, warning users about unauthorised access to their accounts.

These so-called phishing emails are designed to trick people into entering their Apple ID and password details in a fake login screen. 

The scammers are then able to steal these login credentials to get access to the user's iCloud, which also provides access to their iTunes account and personal details.

'Whether or not iCloud was the point of compromise in this incident, scammers have been interested in stealing these credentials for some time,' explained Satnam Narang from security firm Symantec.

'These emails contain links to phishing websites that will capture your Apple ID credentials and send them back to the attackers.

'In addition to email scams, some users may be the recipients of a text message claiming to be from Apple Protection or another privacy or security group within Apple.

 

More...

• Celeb hacker 'on the run': FBI investigates as mystery man who calls himself 'OriginalGuy' claims responsibility for leak

'The text claims that an unauthorised attempt to sign-in to the users' iCloud account was detected and they need to respond back with their Apple ID and password or have their account locked out.'

This type of scam is what's known as SMSishing, or SMS/text phishing.

Scroll down for video

These so-called phishing emails (pictured) are designed to trick people into entering their Apple ID and password details in a fake login screen. The scammers are then able to steal these login credentials to get access to the user's iCloud, iTunes account and personal details

Apple has admitted it is 'actively investigating' the claims that a flaw in the 'Find My iPhone' function of its iCloud service may have helped a hacker to steal nude photos of Jennifer Lawrence and '100 other celebrities'.

Nearly 24 hours after the publication of the images of Sunday night, Apple issued a statement last night, but the tech giant couldn't say how the alleged breach occurred and didn't offer any guarantee to its hundreds of millions of customers worldwide that the service is safe to use.

'We take user privacy very seriously and are actively investigating this report,' Apple spokeswoman Nat Kerris told MailOnline.

However, despite not admitting the bug was caused by its system, the tech giant issued a 'patch', or fix, for the alleged 'Find My iPhone' bug some claim is responsible.

The hacker claims he or she broke into stars' iCloud accounts, including those of the Hunger Games actress, Kate Upton and Rihanna, before publishing them on 4chan, the image-sharing forum.

A list of the alleged victims of the hack - a staggering 101 in total - has also been posted online; most of whom have not seen any photographs leaked by the hacker.

And in a statement issued on Monday afternoon, the FBI confirmed that it had also begun an investigation.

'The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter.

'Any further comment would be inappropriate at this time.'

Kirsten Dunst became the first celebrity to publicly criticise Apple on Monday when she posted a sarcastic message on Twitter.

The Spiderman star tweeted 'Thank you iCloud', the day after naked photos of her were published online.

Launched in October 2011, the firm's iCloud service is now used by more than 320 million people worldwide.

Jennifer Lawrence was the victim of a hacker who posted more than 60 revealing images of the actress online

'Victim': Downton's Jessica Brown Findlay became the latest star to be embarrassed after pictures emerged

This means that information is protected from hackers while it is being sent to devices and stored online.

A possible breach suggests hackers were able to obtain the login credentials of the accounts, and therefore pretend to be the user, in order to bypass this encryption.

Earlier today, The Next Web spotted code on software development site Github called iBrute, that would have allowed malicious users to use 'brute force' to gain an account's password on Apple iCloud, and in particular its Find my iPhone service.

A message has since appeared saying that Apple has issued a fix for the bug. 'The end of the fun, Apple has just patched,' read an update on the post.

The hacker published what he or she claimed were naked photographs of Kate Upton (pictured) Upton's attorney called the photos of his client 'an outrageous violation' of privacy

Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.

In a six-letter attack, the hacker will start at 'a' and end at '//////'

Owen Williams from The Next Web, who discovered the bug, said: 'The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple's 'Find my iPhone' service without alerting the user or locking out the attacker.

'Given enough patience and the apparent hole being open long enough, the attacker could use password dictionaries to guess common passwords rapidly.

'Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this.

Hacked: Mary Elizabeth Winstead tweeted that nude photographs of her were taken with her husband 'years ago in the privacy of our home'

Comment: Mary Elizabeth Winstead took to Twitter to speak about her nude leaked photos

'If the attacker was successful and gets a match by guessing passwords against Find my iPhone, they would be able to, in theory, use this to log into iCloud and sync the iCloud Photo Stream with another Mac or iPhone in a few minutes, again, without the attacked user's knowledge.

'We can't be sure that this is related to the leaked photos, but the timing suggests a possible correlation.'

The group who first publicised the flaw, called HackApp, have apologised for it.

'I'm really sorry that talk a few days ago have had such nasty consequences,' they said in a statement.

The hacking victim also offered support for other celebrities whose nude photos were leaked

Spiderman star Kirsten Dunst tweeted 'Thank you iCloud' along with icons representing a slice of pizza and a pile of poo on Monday, the day after naked photos of the star were published online

'In justification I can only mention, that we only described the way to hack AppleID.

'Stealing private 'hot' data is outside of our scope of interests.'

When activated, it automatically stores users' photos, emails, documents and other information in a 'cloud', allowing them to sync the data across a range of platforms. These include iPhones, iPads and MacBooks.

Users can then access their information from any internet-connected device using a log-in and password.

The service secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication.

Jennifer Lawrence and Emma Watson at Dior show (archive)

Hacked? A flaw in the 'Find My iPhone' function (right) of Apple's iCloud service (left) may have helped the anonymous hacker to steal nude photos of Jennifer Lawrence and '100 other celebrities', it today emerged

The flaw was spotted by The Next Web on Github (screengrab pictured). Brute force, also known as brute force cracking, is a trial-and-error method used by to get plain-text passwords from encrypted data

Tim Barajin, a technology analyst with Creative Strategies, backed Apple's strategy and said keeping quiet was the right option.

'Once Apple understands itself what happened, they will make a comment very fast,' he told MailOnline.

'It's an odd one, because most of the hackers out there go after ID thefts, or banking information.

'This seems more of a targeted attack on the particular celebrities.'

'The key is we don't yet know where these files were kept, they might have been in a Dropbox account or some other service.'

The presence of a Dropbox tutorial file in one hacked account suggests that the third-party cloud storage service was a source of some pictures.

'Security in the cloud is an issue generally - you have to completely trust Google, Apple, Samsung.

'Apple has some of the most powerful encryption tools out there - which is why they have almost a billion credit cards of file, and nobody had ever got hold of those.'

Rob Cotton, CEO at web security experts NCC Group added: 'Cyber security is not just a technology problem, humans are very much key to its success. In our day-to-day work we see too many cases of employees divulging sensitive information without first verifying the legitimacy of the request.

'People often point the finger at technology when they've been the victim of a cyber attack, but poor password choices or naivety in the face of a seemingly innocent email is regularly to blame.'

Human error, in a variety of ways, said Mr Cotton, often played a part.

Find My iPhone helps users locate and protect their iPhone, iPad, iPod touch, or Mac - if it's ever lost or stolen.

Despite the claims, it is possible that the photos were not taken via iCloud, but as a result of 'social engineering'.

This form of hacking works by studying which online services your target uses, before compiling as much information on them as possible, such as their email address, a mother's maiden name, a date of birth, and more.

This data can then be used to trick them into handing over their details or guess their password.

If a celebrity uses the same password across accounts, this would be then make it relatively easy for someone to hack if they had the right information.

But the sheer number of names on the list makes this unlikely – unless a large number of hackers were taking part, and a large number of celebrities had poor password management.

Other notable services to allow users to access files remotely include Dropbox and Google Drive, which enable users to keep more of their files close to hand without taking up huge amounts of memory on their devices.

One of the women named as an alleged victim - but who has not had any of her supposedly nude photos leaked - was Cara Delevingne (left). The hacker also claimed to have posted nude images of Kirsten Dunst (right)

Did it happen? Cat Deeley was named as a victim whose photographs were stolen, but no supposedly 'nude' images of her have appeared online

Nickelodeon star Victoria Justice wrote on Twitter that her image was faked. She tweeted, 'These so called nudes of me are FAKE people. Let me nip this in the bud right now. *pun intended*'

WHAT IS 4CHAN?

4Chan is an image-based forum where users can post photos and videos anonymously, as well as comment on others' posts.

Registration is not required, nor possible.

The site is split into various boards, each with their own specific content and guidelines.

These include content on music, photography, gaming, comics, fashion and images of celebrities, such as Jennifer Lawrence.

Its main board, called 'Random', features minimal rules on what can be posted. It is often where controversial images and videos are uploaded by users.

When it launched in 2003, the site was used to post photos and discuss Japanese anime.

However, it quickly expanded, and is now linked to various internet subcultures and activism.

It has also been linked to a number of high-profile hacks.

In 2006, users of 4chan and other websites 'raided' American white nationalist Hal Turner by launching multiple attacks and prank calling his phone-in radio show.

Meanwhile, in 2008, the Yahoo email account of Sarah Palin was hacked by an anonymous 4chan user, before posting her password and screenshots on Wikileaks.

This followed criticism of Palin supposedly using private email accounts for governmental work.

And in May 2009, members of the site attacked YouTube, posting pornographic videos on the site.

Following the publication of the photos, a spokesman for oscar winner Lawrence confirmed to MailOnline the images of her are genuine.

'This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,' the emailed statement read.

On Sunday, the hacker wrote that he or she is accepting Paypal donations for a video which allegedly shows Lawrence performing a sex act.

The hacker also wrote, 'I know no one will believe me, but I have a short lawrence video

'Is way too short, a little over 2 minutes and you only get to see her boobs

'Anyways, if somebody wants it let me know how i can upload it anonymously (i dont want the FBI over me, and you dont wanna know how I got this video.)'

'Jennifer Lawrence' became a Twitter trend on Sunday afternoon.

Meanwhile, Perez Hilton has apologised on Twitter for posting some of the naked photos of Lawrence on his blog, saying he feels 'awful'.

The celebrity blogger, who has since deleted the photos from the site, told his followers: 'I acted in haste just to get the post up and didn't really think things through. I'm sorry.'

He added: 'Upon further reflection and just sitting with my actions, I don't feel comfortable even keeping the censored photos up. I am removing them.'

A spokesman for Kate Upton sent MailOnline a statement from her attorney, Lawrence Shire, about the leaked photos. 'This is obviously an outrageous violation of our client Kate Upton's privacy,' the statement said.

'We intend to pursue anyone disseminating or duplicating these illegally obtained images to the fullest extent possible.'

Actress Mary Elizabeth Winstead, who confirmed she was a hacking victim, wrote on Twitter 'To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.'

Mysterious: A spokesman denied that nude photographs of Ariana Grande (left) were published. Hillary Duff was named as an alleged victim, though her apparently 'nude' photos have not appeared online

Victims? Nude photos of Selena Gomez (left) and Kim Kardashian (right) were also allegedly hacked and acquired. But no photographs have appeared online

Denial: Victoria Justice said on Twitter that nude photos which claim to show her are fake

iCloud secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication (explained above). This suggests the hackers were able to obtain the login credentials of the accounts, and pretend to be the user, in order to bypass this encryption

WHAT IS A BRUTE FORCE ATTACK?

Earlier today The Next Web spotted code on Github that would have allowed malicious users to 'brute force' an account's password on Apple iCloud, and in particular its Find my iPhone service.

Brute force, also known as brute force cracking, is a trial-and-error method used by to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.

In a six-letter attack, the hacker will start at 'a' and end at '//////'.

The hackers may have also used 'social engineering' techniques to obtain Apple IDs and passwords based on other information they could find.

This includes email address, a mother's maiden name, a date of birth, and more - all of which is easier to find out about celebrities than the everyday user.

If a celebrity uses the same password across accounts, this would be relatively easy for someone to hack if they had the right information.

Am I at risk?

If a flaw in the iCloud service was to blame, any customer could have been at risk. 

iCloud's My Photo Stream feature uploads new photos to the cloud as soon as the device is connected to Wi-Fi; this is to keep photos synchronised across all your devices.

Disabling this option prevents photos automatically being uploaded.

Be aware that deleting a photo from a device does not mean it has been deleted from your online storage account. 

The photos may also appear in photo streams on other devices, and any phone or tablet that is synced with that iCloud account. 

This means you should delete photos from all of these areas if you want to get rid of them permanently.

She also expressed sympathy for others, tweeting: 'Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.'

Winstead implied she was facing difficulties on Twitter on Sunday, when she tweeted 'Great day for the block button!'

She later said she was taking a break from social media.

Twitter is shutting down accounts that are disseminating the pictures. In response to a request for comment from MailOnline, a Twitter spokesman said: 'We do not comment on individual accounts, for privacy and security reasons,' and referred MailOnline to the company's content boundaries web page.

Photographs that allegedly show Kaley Cuoco-Sweeting, Lea Michele, Brie Larson, Kirsten Dunst, Becca Tobin, Hope Solo, Teresa Palmer, Krysten Ritter, McKayla Maroney, Jessica Brown-Findlay, Ali Michael, and Yvonne Strahovski appeared online.

Some of the women named as alleged victims - but who have not had any of their supposedly nude photographs leaked - include Aubrey Plaza, Candice Swanepoel, Cara Delevingne, Cat Deeley, Hillary Duff, Kelly Brook, Michelle Keegan, Selena Gomez, Rihanna, Vanessa Hudgens and Farrah Abraham.

A spokesman for Keegan, the former Coronation Street actress, said there was no evidence she had been hacked and nothing had appeared online to suggest so.

A rep for Keke Palmer - who was mentioned on the list but whose allegedly 'nude' photographs were not leaked - told MailOnline 'Obviously there is no truth to this list and no nude photos of Ms. Palmer.'

Model Gabi Grecko - also named on the list but of whom, no photographs have been published - told Daily Mail Australia: 'I feel like anything I didn't release myself that was accessed without my permission is shameful.'

'Some people are very private and maybe hugely affected and feel violated because of this. There have also been many suicides connected to non consented photos being released.'

Meanwhile, Ms Abraham told MailOnline: 'It is disturbing pervert behavior that should face legal consequences.'

Star: Kelly Brook was named as an alleged victim of the 4chan hacker, though photographs have not been leaked

Athletes: Nude photographs of soccer star Hope Solo (left), seen here waving to fans during a Sunday game, and gymnast McKayla Maroney (right) were also allegedly uploaded to the Internet

Hope Solo pleads not guilty to assault in June 2014 (archive)

Yesterday, Perez Hilton apologied on Twitter for posting some of the naked photos of Lawrence on his blog. The celebrity blogger, who has since deleted the photos, told his followers: 'I acted in haste to get the post up'

She added she should 'not continue to give further attention' to the 'attention-seeking' move.

Not all of the nude photographs that have been published are genuine, however.

A spokesman for Ariana Grande told MailOnline photos that claim to show her are fake. Similarly, Nickelodeon star Victoria Justice wrote on Twitter that her image was faked. She tweeted, 'These so called nudes of me are FAKE people. Let me nip this in the bud right now. *pun intended.*'

Justice retweeted a user named @JusticeCosgrove, who wrote 'GUYD [sic] WE ARE SO STUPID THE VICTORIA JUSTICE NUDES ARE FAKE, LOOK. CLEARLY AN OLD PICTURE OF HER EDITED & FLIPPED.'

@JusticeCosgrove included a selfie of Justice, alongside a portion of her face that was seen in one of the 'leaked' photographs.

List: The names of the hacker's alleged victims appeared in this list 

Seth Rogen criticized the hacker on Twitter, writing 'Posting pics hacked from a cell phone is really no different than selling stolen merchandise.'

'I obviously am not comparing women to merchandise. Just legally speaking, it shouldn't be tolerated to repost stolen pics,' Rogen also tweeted.

A representative of Brazilian model Lisalla Montenegro said: 'Regrettably Lisalla Montenegro's name is on the list of hacked celebrities. Thankfully nothing has surfaced.

'In precaution, the authorities have been informed and Lisalla's lawyer will pursue anyone duplicating or distributing these stolen images.'

A spokesman for Kelly Brook refused to comment on the hack.

Related: How to choose a strong password

THE 101 'VICTIMS': WHO THE HACKER CLAIMS TO HAVE HACKED

AJ Michalka, American actress, singer-songwriter, and musician

Alyson 'Aly' Michalka, AJ's sister, also an American actress

Allegra Carpenter, actress, best known for The Fault In Our Stars

Abigail Spencer, American actress

Alana Blanchard, American professional surfer and bikini model

Alexa Jane, model

Angelina McCoy, actress, best known for Enchanted

Anna O'Neill

Ashley Blankenship, actress, appeared in The Wolf Of Wall Street

Aubrey Plaza, American actress and comedian

Abigail 'Abby' Elliott, American actress, voice actress and comedian

AnnaLynne McCord, actress and model

Avril Lavigne, Canadian singer-songwriter

Amber Heard, American actress and model

Rebecca 'Becca' Tobin, actress, singer, and dancer

Brie Larson, American actress, screenwriter, director and singer

Brittany Booker

Candace Smith, American lawyer, actress, model, and beauty queen

Candice Swanepoel, South African fashion model, best known for her work with Victoria's Secret

Cara Delevingne, English fashion model

Carley Pope, Canadian actress

Carmella Carcia

Carrie Michalka

Cat Deeley, English television presenter, actress, singer and model

Carly Foulkes, Canadian model and actress

Chloe Dykstra, actress and model

Clare Bowen, Australian actress and singer

Dove Cameron, 18-year-old U.S. actress and singer

Elena Satine, Georgian-American actress and singer

Elle Evans, American model and actress

Ellenore Scott

Emily Browning, Australian film actress and singer

Emily DiDonato, model from New York

Emily Ratajkowski, British-born model and actress

Erin Cummings, American actress

Erin Heatherton, American fashion model and actress

Farrah Abraham, TV personality, author and pornographic actress

Gabrielle Union, American actress and former model

Gabi Grecko

Hayden Panettiere, U.S. actress, model and singer

Hope Solo, American goalkeeper and two-time Olympic gold medalist

Heather Marks, Canadian model

Hilary Duff, American actress and singer-songwriter

Jacqueline Dunford

Janelle Ginestra

Jennifer Lawrence, American actress

Jessiqa Pace

Jessica Dunford

Jessica Riccardi, model

Jesse Golden

JoJo, American singer, songwriter and actress

Joanna Krupa, Polish American model and actress

Jennifer 'Jenny' McCarthy, American model and actress

Josie Loren, U.S. actress

Joy Corrigan

Kaley Cuoco, American actress

Kaime O'Teter

Kate Upton, American model and actress

Kate Bosworth, American actress

Kelly Brook, English model, actress and TV presenter

Lauren 'Keke' Palmer, American actress and singer-songwriter

Kim West, American TV personality socialite

Kirsten Dunst, American actress, singer, model and director

Krysten Ritter, U.S. actress, musician, and former model

Lake Bell, American actress

Laura Ramsey, film and television actress

Lea Michele, actress and singer, best known for her performance as Rachel Berry on the Fox TV series Glee

Leelee Sobieski, actress

Leven Rambin, American actress

Lisa Kelly, American trucker who appeared in Ice Road Truckers

Lisalla Montenegro, Brazilian model

Lindsay Clubine

Lizzy Caplan, American actress

Mary-Kate Olsen, American actress and fashion designer

Mary Elizabeth Winstead, actress and recording artist

McKayla Maroney, artistic gymnast

Melissa Benoist, American actress and singer

Meagan Good, actress

Megan Boone, actress

Michelle Keegan, British actress

Mikayla Pierce

Misty Treanor, retired American beach volleyball player

Nina Stavris

Rachel Nichols, American actress and model

Rihanna, singer

Sarah Shahi, American actress

Sahara Ray

Sarah Schneider, American writer, actress, and comedian

ScarJo (possibly Scarlett Johansson, actress)

Selena Gomez, American actress and singer

Shannon McNally, singer-songwriter

Tameka Jacobs

Teresa Palmer, Australian actress and model

Uldouz

Vanessa Hudgens, American actress and singer

Victoria Justice, Nickelodeon actress

Wailana Geisen

Winona Ryder, American actress

Yvonne Strahovski, Australian actress

Alison Brie (U.S. actress) and Dave Franco (U.S. actor)