Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside a Phishing Gang That Targets Victims of iPhone Theft (krebsonsecurity.com)

Posted by BeauHD on from the story-time dept.

tsu doh nimh writes: Brian Krebs has a readable and ironic story about a phishing-as-a-service product that iPhone thieves can use to phish the Apple iCloud credentials from people who have recently had an iPhone lost or stolen. The phishing service -- which charged as much as $120 for successful phishing attempts targeting iPhone 6s users -- was poorly secured, and a security professional that Krebs worked with managed to guess several passwords for users on the service. From there, the story looks at how this phishing service works, how it tracks victims, and ultimately how one of its core resellers phished his own iCloud account and inadvertently gave his exact location as a result. An excerpt from the report via Krebs On Security: "Victims of iPhone theft can use the Find My iPhone feature to remotely locate, lock or erase their iPhone -- just by visiting Apple's site and entering their iCloud username and password. Likewise, an iPhone thief can use those iCloud credentials to remotely unlock the victim's stolen iPhone, wipe the device, and resell it. As a result, iPhone thieves often subcontract the theft of those credentials to third-party iCloud phishing services. This story is about one of those services..."

15 comments

  1. what is old is new again by turkeydance · · Score: 0

    steal the gun, erase the serial number, etc.

    1. Re: what is old is new again by Anonymous Coward · · Score: 0

      Not even remotely comparable. iPhones aren't guns for one. Also you can't get the serial number off of an iPhone. Even if you scratch it off it is still in the firmware and the phone is still traceable, unlike a gun.

    2. Re: what is old is new again by Anonymous Coward · · Score: 0

      Its so clear what was happening here for some who knows about appy APP apps, they wanted to steal all those valuable appy app aps from the phones! If one appy app is worth 20 billion and another appy app aggregator app for apps is worth 10 billion, you could steal the two appy apps together and pivot them into a new app that worth 50 billion. And thats cheap for an appy app that you can produce by just going app fishing. Even a LUDDITE can understand those app maths for valuing appy app app apps.

      APPS!

    3. Re:what is old is new again by JustAnotherOldGuy · · Score: 1

      steal the gun, erase the serial number, etc.

      It's a *lot* harder to "erase" a serial number from a gun than you might imagine. Even if you grind away enough metal so you can't see it, various imaging techniques can still detect it. Acid-etching, electron backscatter diffraction, and magneto-optical detection can all "see" serial numbers that appear to have been obliterated.

      Want to destroy a gun's serial number? Melt it down into a puddle of metal.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    4. Re:what is old is new again by Anonymous Coward · · Score: 0

      Stamped numbers can be overstamped, then ground off. Or overstamped, then ground off, then restamped . If it looks like a good stamp will the boys in blue grind it off to reveal possibly something else?

  2. wow by supernova87a · · Score: 2

    Read through the full article - that is some seriously impressive detective work to follow through and find the people behind the phishing portal!

  3. This happened to me this morning by Anonymous Coward · · Score: 0

    Now I'm wondering if this article is an even more elaborate scam to get me to follow whoever did this to me

  4. What I'm missing.... by Rick+Zeman · · Score: 1

    ...is if they have a stolen iPhone how do they know whom to text to try and phish the credentials? If the phone's locked it's not like they have access to the owner's information, nor to the MEI. What am I missing?

    1. Re:What I'm missing.... by twistofsin · · Score: 1

      Maybe it goes like this?

      Learn someone's Apple ID.
      Compromise account.
      Locate the device.
      ???????
      Profit.

    2. Re:What I'm missing.... by thermidor · · Score: 1

      The IMEI is printed on the back of the phone.

    3. Re:What I'm missing.... by jittles · · Score: 1

      ...is if they have a stolen iPhone how do they know whom to text to try and phish the credentials? If the phone's locked it's not like they have access to the owner's information, nor to the MEI. What am I missing?

      If you do a factory reset of the device it'll try and force you to log into the iCloud account that has locked the device before you activate it. It's been a while since I've done this, but if I remember correctly, I think it actually puts up the email address and just asks for the password.

  5. Stories about people identifying cyber criminals by Anonymous Coward · · Score: 0

    Stories about people identifying cyber criminals just don't interest me anymore. If I start to see some with a conclusion along the lines of "we traveled to their location with an armed team and, after the culprits initially opened fire, a brief gun battle ensued leaving all the criminals dead with no other casualties", then I'd be happy.

    I really don't care if they're poor or foreign or "just trying to make a living" under some bigger criminal organization.

  6. You see?! by jennatalia · · Score: 1, Informative

    This is why you don't buy an iPhone.