The Underground Economy of Apple ID

all right everyone thank you so much for still being here I know puddle you may be just one happy hour hour toy as quick as possible so let's begin the topic is about our current leakage and these consequences this is Suns like a pretty pretty odd topic and boring topic so well we still talking about it here right now there are indeed some new sins one is that the observers that are previously of course you you all know a Taco Bell prefer to attack the central server so that they could grow up like meanings of accounts in one hand however most original years that they were also trying to attack and the users individually this may probably because

that of the big companies have already adopted some good security designed implementations to secure server another reason is another is because that in recent years you know all the good all the big companies like Google Microsoft Apple or other companies have already added more and more features into the account associated with the account so that it is possible that the attacker could make more money for more ways to make money after steal those account so this is basically what we will are introduced with you today the reason I choose app ID is because I believe that Apple is a company that already should I can say already because I'm not worked for example that should

adopt a lot of good security practices with their poster suicide than their client said oh I for Mac os10 I'm saying this not because that they sponsor breakfast and lunch yesterday but I think our reputation still pretty good however even for a pose ID we still fun for example this this is in last December that over seven seven hundred thousands eyebrow accounts with the password with some users information been sold in the parkland marketplace how this hyper another reason I choose avoiding is because it associated with too many functionalities too many services that pose for your that around everywhere of your life so before his studies I have to say I am NOT a export

of the underground market or the darknet of Austin cynically important networks my job is to research and development around the mail will and antivirus product however in plus the two years where was working on some I always mail well families I found that they're actors and Riyadh that you know classical malware we are trying to remove the control system we're trying to do in the Lagrangian or steal your information but lots of lots of areas malware just thoughts on the iPod itself and you will see some examples this world scenes made me to dig into it to find out what's their purpose because malware's purpose always also attract his purpose always important because only you know their purposes you will

deploy really effective signatures to capture those attacks organize beginning first is about leakage a no surprise topical of the con compliments is about fishing the job there were about two or three talkers in this conference talked about it and of course through email also the operative fishing also through the short messages or iMessage and targeted targeted fishing this is not other ones that are but it's still targeted those phishing messages happen especially when you when your iPhone or Mac devices been stolen and you enable the to lock my devices remotely through a cloud and you can see the first message exactly - when these guys iPhone been lost and the message continents say that the uija

phone was found so that it's more likely the owner will click the link another message correctly say the name of this owner which means is is not a generic spanning at least is it has a some context about the receiver surprisedly that you know usually a fishing through the with rules an email messages and sentences on edge hunting but for IPO ID there are indeed cases through phone call to fish you and also targeted this is the case and after I prepared the slides here are the two more cases which is pretty similar so after this guy lost his iPhone he received the hundreds of fishing through email and through messages asking about the iPod his password and

he ignored it because identified as phishing and then he got a phone call finally the most of the phone call asking about to the security answers of the security questions which I will I will show you why later but most of the other scenes is that the phone call the number is four four hundred which is exactly the same with local iPods or fish or technical support phone number this is actually a phishing that abused a design flaw in some VoIP gateways that it could make a phone call back arbitrary phone number for example it could make phone call banana one all right and there are also some other fishing's next through the pop-up ads

when you are browsing some website from your desk or table or on your iPhone this is what I made personally in this year and you know what my favorite part of this phishing website is that first of all it designed a logo for iPod which used the italic font a good solution for i-4 and the title it's Apple Store it's no Apple a second apart I really feel interesting about this website is that in the food is said if you received this email in the spam folder click on no spam bot and fix it [Laughter] okay anyway all this fishing will eventually lead you to a website like this sometimes they pretty like apples official website and hence a note but

eventually they will ask you to input your password or security answers and usually most of them are observed the user some URLs which contains the keywords a public update i po fund your iphone or a cloud something like this so there are lots of ways to detect them like you can find the keywords in the URL on your website in email in short in the short messages you can compare similarity at the sutra and i think this is this is some message that you you may familiar this another things that's another measure they use it to grab your password to from and the user is male well these are two male well families that I discovered in too

years ago they were they do require you with jailbroken your device they said first so you know after jailbreaking usually as at how you can do anything you want but the most simple is the way to grab the password is to hook the system API name they say all right through the mobile substrate instrumentation framework and through this function was used by Apple in the iTunes Store Apple Store claimed that after you log in it will use this URL to construct a request the tripod Seward to foster indication so by cooking it you can you can get a password both of these two families uses this trick so in the curator case a case that is really lucky

for us that one of the researcher that cooperated with us identified a vulnerability in the sea to tell a base so that he actually dumped all the database that this mail were collected and finally discovered over 200,000 validated iyd been stolen it's kind of surprised that a jerk jailbreaking plug-in could grab so many accounts another case is malware that - no need jailbreaking and it actually even landed in to Apple Store this one provided at services like soda for the Apple Store it provided services to offer you to download iOS apps pirated or not purnima or not it has a functionality that it's such as you to login your app ID through this app and these still lots of

advantages lots of additional features and you claim that they don't uploaded the dipole ideal passwords for their own sewer but actually the lad they were upload this is no the owning case if we are not if we talk about more other or consistence there are more cases for example the install aging and whatsapp stealer there are two hours malware or how to say okay I don't use the word Mary about those two apps well stow your Instagram whatsapp accounts in similar way by providing additional features for users freedom or installation provide functionality say that you could know whoever viewed your Instagram however after you input your password it will upload to the server and this this app

at least awkward the Apple Store sweet hands so the third problem is that you have no problem the under user Tina benches and so has no problem but the email you use has some problem here is an example that in October 2015 over 100 meaning email accounts leaked which all belongs to the same company they Deezy which is the most popular email provider in China and me myself is also a user may be affected maybe not I have no idea but I change a possible immediately but immediately of the leakage is that there are followed lots of lots of attacks login into iPod e and lock the phone remotely and ransom for some money this disassociated because of

these reported cases were use a net Aziz email box that's not the end in in January in last month there are like tens or has seen thousands meanings of accounts being sold in talk net and you can imagine obtained also registered IP ID and also there are also like leakages of the mail we all thought I you and the Yandex are you to mostly popular Russian email providers and there are also lots of cases of Google's or current leakage for example you know this is the case that I enjoyed mail well still Google account and password in nausea which affected meaning accounts and there are lots of other cases the nanny easy case which was said

by official is not attract to a sewer but just reuse the same password which we cannot verify but anyway password reuse is always saying you should consider the issue and I think everyone should familiar busy so I skip it and another way is pretty interesting the email system may have BraunAbility and suicide but they may also have one ability in the front end this is just like cross across that scribbler vulnerability which is usually been sought as notice or severity but it actually being abused exploited by autocracy in the in the world that she was the Oh your Apple ID so this is a is a zero-day intensiveness email system and it sends the victim a some kind of

targeted phishing email and this is this is a result that reproduce the very researcher of this exploit it could use a successfully gets the login token of the Tencent's email system website so that they could login into the email system and recover your iPhones or iPods password I will show you this price of these attacks later so of course there are brutal force brutal force usually I guess maybe someone already forgot about it because in nowadays everyone is a common sense that you should proven brute force bad luck capture however some hands if the if the login if the API is a back-end II or internal internal API if it's not a public services sometimes you may forget to

prevent brute force like this this is happening two years ago when some researchers discovered the iPods fundamental phone functionality has a interface that can prevent brute force and exploit the being public available and last one seriously this is not a security or talk but I will show you what we're talking about this later so people are in the underground people also created hypo ideas in bunch when I say in patch it means like tens of thousands at least and then sell it for the Apple Store Freud okay the next big topic is how to make porridge so we are not we are not talking about how to we are not talking about those attacks which has some

spatial politico's or other purposes for example this is the case as a editor you world magazine being a talk that are somebody logged into his ID and remove removed over his data in the iCloud which no idea where maybe some special purposes this is of obvious a targeted attack and not on purpose for money but what we want to talk about is how to directly get quick money from those stolen fyd the first one is Spain Spain you can imagine that advertisement of causes one of the most important sources to make money for post internet for forever while sinking in the in the Internet industry but for the underground gas pains is also one of the peaks the sauces so this

happened for example in us the Christmas and by Friday people received lots of messages like this they are indeed master of the emoji yeah you know this is actually pretty simple as an ad hoc you you even to know need a password you just need to know recipients email address you could send send as a message and since I provided a functionality about report junk and then they discovered another method to deliver other what has been throughout Canada so you know a Canada you can invite your friend to participate a special even like besides through the cloud but the uses is to invite you the meanings of people to some events of purchase sensing or other attachments and this is

actually known owning occurred in your apps but also displayed in your desk at home as a notification you cannot ignore it and of course there will be email but this email is our email space is a boring talking about but I personally received a special email which is pretty interesting case I would like to share this email I received in is a lazy email box oh man and it indeed from Apple okay the really from Apple italic conference with hands it's official different Apple without any problem but the only problem is that usually when Apple call you or send a message to you it will say deal cloud for what what what but this one's

not this one said deal we are professional making fake ID document services and police contact with me guarantee satisfied notice that this is from a poll from one iPod has this kind of services so this is obvious that they discover the some kind of like okay the content is like somebody choose mailbox as my rescue email address so it's like kind of password recovery services where Apple silver believe the users input as a username as a real name so this real name field being abused yes smart guys smart guys so reported typo and a fixed either by removing and my name the next message is fear that's all they're of course second a big business

of underground is Apple Store Freud this isn't just a lecture purchasing a house everywhere everything is about location location location you know a good location Apple stock would make a successful staff either Valley so location is always expensive this is a this is the price list about how how much could help you to promote any app to a top list of the Apple Store and you can see in United States in order to keep your app into top ten ones that's sixteen grunts and so the Apple Store Freud of course has lots of technicals and it improved a lot it's always a cat and mouse games but the most important part for able offer other like Google's

who run the Google Play well the most important factor to identify fraud will to reduce the effect of Freud is that true identify whether this guy is a real people or whether this guy is Freud activities from the attack all machine so all the Freud are required lots of I parties and and the first the battery reached register like 10 hundreds of thousands IDs by machine but later these are pretty easy to be discovered because those I apply this has same register thing has same activities to know have any users data so later they are trying to steal your password and on your behavior to to promote those apps and not only to promote it to a good

location in the top list but also trying to make some fake reviews or fake radians because these are important and hence for for some developers so Sun hands user may discover that 0 the password no change then everything looks fine but just do the Apple Store history had some vo that labor made reviews or ratings or purchase history and a toggle even even implemented the Freud in the malware frizam of the I papaya which I said that sto your password it will join to automatically purchasing apps which command will receive the from the server it Rob it will make the pushers on the infected iPhone and which is both likely real ok here is another case that I

would like to show this is proved that the Apple store Freud is not owning affected ipods business but also may affect the order and the user so this is a fake av I discovered in last December in Apple store ok this is my Apple Store and actually you know Mac Apple store there are lots of low quality antivirus cleanse but one day I discovered one day I discovered well they even occurred in the top three how weird it is but this one up to analyzed I found is fake I've a vo scale well because Israel because the 200 are it internally constructed some by the college signature which is you know format of the claim AV which could lead to false

positive which was and system fails and it has two versions wines free wines premium for ten bucks and if you scan that lots of like hundreds of malware in your in your taste patrol it will ask you to pay that compact to clean cutting of them but actions of the over there of course force positive however usually those fake IDs should indicate in such good position but are after analyze the other logs of the other of those days I ball sports theta it's easy to fund that they use the Apple store Freud educate such a position so that it could get more paid somehow the Freud happened for example in the recommendation system that this this happened when you're

trying to search some keywords in the Apple Store claims and those are expensive for example in the overall recommendation for any keywords you persist there for like six hours you need to pay three runs to ten and even justify a key was recommendation you need to pay like wow 200 thousands per month yeah they construct a lots of lots of fake request or research response search response request that you I pursuer so that I cheated is a machine learning model this is a you see they're very interesting attack that this is the first time I see people really trying to attack immersion machine Noonien Singh okay and of course you can you can on your behalf to purchase an app and get

money back especially when it's a game that's you know purchase item could be result in you France and this also happened in malware and the first method is is actually right now pretty popular now that after I get your Apple ID I could remotely lock your devices and arrange them for money like to unlock either pay like 0.1 Bitcoin or some keep the card these are usually having a together which they will change your passwords they will change your email address and sometimes they will also change your change your security questions of course to change your security questions you need to answer it at first that's why they send hands fish you to ask you for

your current answers and yeah it also implemented in some malware and not locking unlocking is also cannot wait to make business for example the unlocking is that after your phone been stolen or lost or killed by somebody else that he would like to research it but you already removed in Lockridge the deterrent luggage so this is also expensive for example the okay of course we are always lower than the price of the real devices for example that's a cross side one bility I just said we also the index 70 to 300 bucks and they also provide your services like help you to log into the system and then allocate specific iPhone by fishing by targeted fishing

and here is a problem or do to attend I can almost repeat but I still would like to ask the problem is that after your called a lost or stolen phone actually in Siri is impossible that you will get the you wil give the full email address because this is by design impossible however they could do this there was an underground services sold in the internet or in the token age and priced pretty cheap that just 10 bucks and it has a successful rich I have no idea why this is really a question why this information and leaders were so many attack also there are some other loci may select too hard hardly to unsoldering the chips in

in the devices to unlock it but this is not reality that is our current data lots of things that you can always join to us do you're still personal data and they make your instant to you because there are lots of privacy data in last year you may have already know and there lots of celebrities photos in the iCloud being stolen and been published in Internet and those photos yeah and this guy is one of the talk being chair of the Renault oh ok sorry is no right now pin Gerald I just and also so the party Apple store this is and all attacks that I recommend you to read my analysis in the company blog ok Neeson noon first of

all it attack will also attract users individually not only focus on the suicide and you know user and the user is always a big point secondly that all the features that if you designed if we say important the feature it will be abused to make profit eventually and this will speed up your activities of a target and the user so this is what I think self the companies that not assume before and they do recommend you to reconsider security model of the consistent and trying to identify those kind of staff scenes underground alright thank you [Applause] thank you to the shop club on behalf of Fitbit and besides thank you for spending your time with us thank you and

thank you everyone that concludes all the talks for today and enjoy the happy hours questions definitely contact him on peer lists or write office to the side

[Music]