Cyren warns that stolen devices can lead to further phishing attacks (registration required) as attackers double down. Once a device has been stolen, attackers contact users pretending to be Apple. The goal is to get users to “log in” to a phishing site to steal their credentials. It allows the attacker to gain control of the users’ Apple account and remove all security controls on the stolen device. This allows them to sell the device and make a healthy profit.
This is not just an isolated incident with a single attacker. During the investigation, Cyren came across an iCloud phishing website and a user offering to help for $70 per device. Cyren researchers contacted the individual pretending to need their service. When they looked at the cryptocurrency wallet details provided by the users, they identified 117 transactions worth over US $10,000.
How did Cyren get involved?
It started when security researcher Adalsteinn Jonsson and his girlfriend were travelling in Switzerland. While on a train, Jonsson’s girlfriend had her backpack stolen along with all her devices and computers. Despite reporting the theft, nothing happened, although they did track the device to Paris.
Six months later, Jonsson’s girlfriend received a text claiming to come from Apple support. The details given matched the model of the stolen iPad. There was also a link that, when clicked, appeared to show the device in the city it had been stolen in. After viewing a map, an iCloud login screen was displayed.
At this point, caution took over. Jonsson noticed there was something not right about the login screen and began to investigate. His first action was to check it with Virustotal, but there were no alerts. A few hours later, there were three alerts for phishing. Within a day, the site was all but inaccessible. A whois search showed the domain was associated with a Russian email address
An iCloud phishing kit
Digging deeper, Jonsson discovered, and obtained a copy of, an iCloud phishing kit. It came with several tools designed to make it easy to create phishing sites to steal user credentials. Among the tools are:
- Find My Phone: A loading screen redirects the victim to the map before displaying the login screen.
- iPhone Pin Code: It fools the user into thinking they are putting their Pin code into the official Apple screen.
- Apple TV: A phishing site that displays a fake Apple TV login screen and captures user credentials.
- Apple ID: A phishing site designed to fool victims into thinking they are logging in through an official Apple ID screen to capture their credentials.
- Apple Support: Yet another phishing site that asks the user to sign in to their account to contact Apple Support.
An analysis of the code showed that the phishing site uses a Telegram bot to send the attacker the following data from the victim:
- IP address
- Browser used
- Operating System
- Country located
The kit also removed the associated Apple ID from the device and the connected iCloud account using the ifreeicloud API. It means the unlocked device can be reset and sold. This is all done without sending a notification to the user using a tool called SilentRemove.
According to Jonsson, “it’s surprisingly easy. You can do it in 30 seconds. Set up this site and send it to your victim.” Despite this, some attackers are outsourcing the phishing site to other attackers. They harvest the user credentials and send them back or unlock the device.
On the use of SMS, Jonsson says, “it’s more successful, often to send the text messages because we don’t have a secure email gateway or something sitting at the inbox that is scanning the URLs.”
Contacting the developer
Jonsson and the other Cyren researchers he worked with contacted the phishing kit developer using Telegram and pretending to be buyers. They were told that the cost was $70 for the phishing kit.
The developer also wanted payment through the cryptocurrency exchange Binance using p2p payments in USDT. Jonsson says that allows him to stay anonymous and means his wallet details are not shared. However, the developer did share his bitcoin wallet address. That enabled Cyren to see 117 transactions with a total value of over $12,000. It suggests that some people were paying for multiple devices to be unlocked in a single payment.
Enterprise Times: What does this mean?
Device theft is increasing, with phones and tablets the prime target. What is worrying here is that the cost to free a device so it can easily be resold is just $70. The price of Apple devices, including iPhones, iPads and iPad Pros, has held up very well during the pandemic. A quick look at eBay and other marketplaces shows that a thief could expect to make at least $300 after paying for the device to be unlocked. It makes it a lucrative business.
What will worry many people is that they are doing the right things, such as setting up Apple’s Find My utility. They are also setting up multi-factor authentication. However, as Jonsson has reported, the SilentRemove ignores the MFA. This is something that Apple needs to address.
For now, if you lose a device and get a text message saying it is found, do not click on the links and log in. Go to another device and log in to your Apple account from there and check. That should evade the phishing site, and while the news may not be great, it won’t allow the device to be unlocked and resold.
