Chinese authorities run nation-wide man-in-the-middle attack

Oct 20, 2014 14:08 GMT  ·  By

The access to the iCloud service from China is currently blocked and the connection is directed to a phishing page that harvests user credentials.

The government has launched a nation-wide attack that compromises the information stored by the Chinese citizens on Apple’s iCloud storage services, according to censorship watchdog Great Fire.

It appears that this incident somehow coincides with the shipping of the latest iPhone model last week on Friday, which would have long-time owners of the device synchronize the content from iCloud to the new phone.

Fake digital certificate used in the attack

Great Fire is a group that keeps an eye on censorship in China, and as per their report, users of Mozilla Firefox and Google Chrome will receive a warning about landing on a potentially harmful location and access to the phishing page is blocked. However, if they choose to ignore the alert, the bogus log-in page is automatically loaded.

After entering the iCloud credentials and hitting the “sign in” button, the username and password are automatically sent to a location under the control of the attackers.

In a less fortunate case, users trying to access Apple’s cloud service are served the phishing page automatically, with no prior warning. This happens when Qihoo, China’s most popular web browser, is used.

This type of attack is called man-in-the-middle (MitM) and relies on the use of a non-trusted certificate that seems to have been issued at the beginning of the month, on October 4, for www.icloud.com.

“This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc.,” Great Fire says in a post published on Monday.

Avoid falling victim to the attack

Not all users in China are targeted, according to the anti-censorship group, which reports that the authorities only attacked the 23.59.94.46 IP address and that the iCloud DNS (domain name server) may return different IPs.

However, there are some measures users can take to prevent their iCloud account details from falling into the hands of a third-party.

One way to do it is to run the connection through a secure route, such as a virtual private network (VPN). This ensures that the log-in information is sent from outside China, eliminating the risk of the connection being directed to a fraudulent page.

Also, users with two-factor authentication enabled should have nothing to worry, because this ensures that a supplemental code besides the password needs to be provided in order to get access to the account.