People who were trying to access the iCloud service from China were recently having troubles. They have been blocked and their connection was been directed to a phishing page that collects the user credentials. The IT security specialists are figuring out ways in which to stop this nationwide cyber-attack.
Timing of the Attack
The China censorship watchdog group Great Fire informed that the attack has been launched by the Chinese government, aiming to compromise the information that is stored on the iCloud storage by Apple from the Chinese citizens.
The incident coincided with the launching of iPhone 6, the latest model of iPhone. The device is synchronizing the content from the iCloud to the new phone.
False Digital Certificate Used
According to the Great Fire group that tracks the censorship in China, the cyber criminals have used fake digital certificate in the attack. The report that the group issued, states that Google Chrome and Mozilla Firefox users will receive a warning concerning the landing on a location that is potentially harmful and the access to the phishing page is blocked. In case these users choose to ignore the alert, then they get automatic load of a bogus log-in page.
When the users enter their iCloud credentials and press the button for sign-in, they immediately sent their username and password to a location that is controlled by the attackers. In some cases when the users try to enter the most popular Chinese web browser Qihoo, those who try to access the iCloud are directed to the phishing page with no warning at all.
The malware specialists confirm this attack is known as man-in-the-middle and that it relies to the usage of non-trusted certificate, used at the beginning of October for iCloud. This Apple-directed malicious attack aims to collect usernames and passwords and thus get access to the data stored on the iCloud, including messages, contacts, photos, etc.
Stay away from the arrack
The users should know that not all iCloud users in China are targeted in the attack. The Great Fire anti-censorship team reported that victims of the attack are only the IP addresses 18.104.22.168, where the domain name server of iCloud may return different IPs than the ones used before.
There are measures that the users can take in order to prevent the cyber criminals from getting access to their iCloud accounts. They can use a secure route connection, for example a virtual private network. This will eliminate the risk from direction to a fraudulent page and will ensure that the log-in information will be sent outside China.