Industry News

Lost your iPhone? Be on guard for a perfectly-timed Apple ID phishing attack

https://medium.com/@joonaski

It’s happened to me, and chances are that it’s happened to you too.

When you lose your smartphone you can feel desperate for its safe return. Not only is it often an expensive piece of hardware, but it’s the essential tool that connects you to your online life and keeps you in contact with your friends, work colleagues and family.

But perhaps most important of all – it’s the device that logs you into countless accounts, make purchases from, and maybe even use for banking online.

Losing a phone isn’t just an inconvenience, it can be a potential stepping stone for having your identity stolen.

So the good news is that modern devices like iPhones come with powerful security features that can not only lock out unauthorised users, but also actually help you remotely wipe or even (if you’re lucky) reunite you with your lost device.

So when Joonas Kiminki lost his iPhone, he did what any sensible chap would do – he marked his device as “lost” with “Find my iPhone”, happy in the knowledge that it would prevent someone else from reactivating his iPhone and that nobody would be able to access his data.

As Kiminki describes in a blog post, a week and a half went past with no report of his iPhone being found.

And then, out of the blue, he received an email saying that it had been discovered.

iphone-phishing-email
Source: medium.com

He also received an SMS message.

iphone-phishing-sms

Good news, right? Cause for celebration?

Well, I hope in the excitement at hearing your iPhone has been found that you wouldn’t do anything rash.

Because clicking on the link would take you to a webpage like this, asking for your Apple ID and password.

iphone-phishing

Despite initial appearances, that’s not the real iCloud login page.

Kiminki is certain that plenty of people would have been fooled into entering their credentials, handing over their password to the criminals. After all, the timing was ideal – the scammers knew you had lost an iPhone (they had clearly “acquired” it) and chose the perfect moment to dupe you into revealing your login details:

I’m pretty sure many people would have just punched in their apple id and password and only then wondered why the login doesn’t work.

As far as I know, this was the first time I was targeted personally by an attempted identity theft. The scammer did very many things very right and nearly got me to give up my account details. Maybe if I’d read the email before looking at the SMS (in which the strange address was a bit more prominent), they would’ve gotten me.

What strikes me the most is that everything seemed very “right” and professional. The email and the website content looked great, my phone really was an iPhone 6 and they even got the timezone right in the email.

Well done to Kiminki for not falling for the scammers’ trap, and for warning others about how opportunist iPhone thieves are getting more sophisticated in their attempts to make the most money out of the device they have stolen from you.

And don’t forget – you should always use a strong, unique password for your Apple ID, and enable two-step verification.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

6 Comments

Click here to post a comment

Leave a Reply to Simon Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Everything seems professional except the time I think. The time is in 24 hours and a 'PM' was appended with it. This would not happen from a Tech giant like Apple for sure I guess. Just my thought :)

  • If the phone was locked & encrypted with a password or fingerprint and marked as lost, how did the scammers know how to communicate with Joonas Kiminki afterward, how did they know an alternative number to text him on or an email address to email him on?

    This suggests that someone was watching and waiting for him to lose the phone or someone he knows is not the friend he thinks they are?

    • Joonas speculates in his article that they might have got it from the emergency medical ID information you can enter into modern versions of iOS (which obviously could be of assistance to medical teams if you have been involved in, say, a bad car accident).

      Alternatively, it's easy to imagine that a scammer could get the contact information from the message you set asking for the phone's safe return when you activate it via Find my iPhone.

  • The devil is in the address bar and email headers.

    Sadly. not everyone knows (or cares) to look at these vital pieces of information.

  • Hello , i lost my iphone 6 and when i go to search i cloud for find my iPhone then where is show (your device is offline)