Phishing works. Chronicle of theft of the iPhone XS, followed by the theft of iCloud data

Hi, Habr! About phishing iCloud data in Brazil, Russia and the CIS countries is entertaining to read exactly to the moment you become a participant in such incidents.

The current scheme has practically not changed, see how it works:

November 26, 10:45 pm An

incoming call from an unknown number, from a familiar one - she has trouble. In the theater, taking advantage of the turmoil in the lobby, the thieves pulled a brand new, freshly bought iPhone XS out of the bag. A girl in a panic, she saved up for an expensive gadget for a very long time. The stolen gadget is turned off, the sim card is (most likely) removed.

Without losing time, I tell you how to access the iCloud website and turn on Lost mode on the iPhone. Since the contact number has not yet been recovered, we indicate in the message the phone number of the username Kpyto — that is why I can tell this story as a participant in the events.

What can be seen through iCloud? The device is turned off, the last location is not near the theater, within a few kilometers.

November 27, 11:56

I receive an SMS message with the following text (I specify the URL through spaces):

Устройство iРhone XS было обнаружено 27.11.2018 в 11:55. Текущее местоположение устройства на карте: https:// icloud. com. id-apple. info/ ?id=002.86.053
Служба поддержки Aррle

The sender of the message is the alphanumeric inscription “Support”.

Without losing a second (oh no!), I cheerfully redirect (stop !!) the text of an SMS message to a friend.
Not very smart - oh yeah. It seems that the bill goes on for a second, we are about to find out where the thieves are, the police will delay them hot on the trail, the pulse is quickened, what is the result?

And then I re-read the URL address. The attentive reader does not need to explain, but I still do it - it leads to a phishing site, a fake iCloud. Retrieve the sent message late, a friend had time to enter a username and password on a phishing page.

November 27, 11:58

The iPhone XS disappears from the “My devices” section in iCloud, its tracking is no longer available. The attackers dumped the gadget, entered the “missing link” - the login and password from iCloud, and now they can safely sell the stolen one.

November 27, 11:59

Website

https:// icloud. com. id-apple. info/ 

starts to "redirect" to the official iCloud website.

Our time

What did I find out? An official request to the operator gave no results. "Alphanumetric" number of the sender is issued only to legal entities. The police must submit a request for this information - it is not known whether it will be possible to find out something on this issue.

Domain intruders

id-apple. info с поддоменом icloud. com

registered with REG.RU registrar A request has been submitted to CERTGIB to check a “suspicious” site. No response from them has yet been received.

Instead of an afterword

Please note the words from which the URL and data of the sender of the SMS are made up: “id apple icloud support” - it is very difficult to find the mention of a fake website by these words, even if the victims publish information about phishing somewhere. Perhaps this publication will help someone in the future to remain vigilant.

Even if you are a technically savvy specialist, and are able to recognize phishing using elementary logic, this does not mean that at the time of emotional turmoil you will not misfire. “Forward” text from SMS to instant messenger is a matter of seconds, and this became my mistake.

“Dumb Phishing” still works great. Apple does not send SMS messages about the device found. You should not save for a long time on an expensive gadget, so you do not regret so much in case of loss. Be careful not to repeat the mistakes of others!