Cyber crooks are targeting iPhone users who have had their phones stolen with a new scam designed to steal iCloud login details.
As if having your iPhone stolen wasn’t bad enough, the hackers are tricking phone theft victims into giving up their Apple ID credentials, giving them access to their personal data.
Many Apple users have reported being tricked by the hack online, including one unlucky man Joonas Kiminki, who detailed just how convincing the phishing scam can be over at Hackernoon.
After having his iPhone stolen out of his car while on holiday, Kiminki did the obvious thing: used his wife’s phone to call his own. But, as expected, it was turned off.
He then marked the phone as “lost” in the Find my iPhone app, which informs users if a phone has been found. He entered a text to display on the phone in case it was ever turned on again, and clicked all the “send me email when the phone returns online” checkboxes.
“Nobody could access my data on the phone and since it’s connected to my iCloud account, others can’t reactivate the phone for themselves,” he said.
“I later bought a new phone, but then yesterday – eleven days after the phone was stolen – the most interesting thing happened: I got an SMS and an email notifying that the phone was found!”
The SMS and email both contained a link for Kiminki to click, to show him the location of his lost iPhone. The link brought up an authentic-looking iCloud login screen.
“I of course rushed to the address on the link and then started typing my credentials, but then suddenly stopped. Something was just not right,” he said
He explained that – because he works for a website building company – he was able to spot the telltale signs of a hack that the average person may not.
“I’m pretty sure many people would have just punched in their Apple ID and password and only then wondered why the login doesn’t work,” he added.
Because he was able to spot that the email and SMS weren’t authentic, he managed to escape having his credentials stolen too.
So what were the telltale factors of this so called phishing attack? Firstly, the link took Kiminki to a website with the address “show-iphone-location.com” – not very official sounding. It also wasn’t encrypted like a genuine Apple page would be.
Digging deeper, Kiminki noticed that the email was not from Apple, either, but from [email protected], which is not registered to Apple, but a company in Nassau.
“You can’t activate an iPhone, or any iOS device for that matter, as long as it’s connected to someone’s iCloud account,” Kiminki said
“However, when you steal a phone, you can perfect the crime by stealing the poor b******’s identity as well.”
The hackers then just need to log on to Find my iPhone, decouple the account from the device, and boom – they have an unlocked phone.
This isn’t a completely new idea – there have been several cases of this scam being used against users. A similar attack was posted by a user on Reddit back in April .
Security expert Graham Cluley said that hackers are able to exploit the Find my Phone app because, unlike iCloud, the feature does not use two-step verification to double check those accessing the service are genuine.
Commenting on the same hack used on a computer science graduate student at the University of Waterloo , Cluley said: “If there had been another login step, such as a secret security question, the attacker would not have been able to have almost wiped his devices.
“Users should protect their Apple IDs as well as all of their web accounts with a strong password and with two-step verification, if and when available.”
The security industry is hoping Apple will introduce two-step verification for the Find My iPhone feature now that several of these phishing attacks have been reported online.
Despite the very locked-down nature of its software, the tech giant is finally starting to realise it is not immune to cyber security vulnerabilities.
Last week, the firm agreed to give security researchers access to its software for the first time.
The company is now offering $200,000 (£152,000) bug bounties – an incentive programme which offers rewards for discovering and submitting security holes and weaknesses.
Fellow tech firms such as Google and Microsoft have been offering such rewards to bolster their level of security online for some time now. Although, perhaps to make up for lost time, Apple’s lump sum seems to be the highest corporate bounty ever.