Phishing works. Chronicle of theft of the iPhone XS, followed by the theft of iCloud data

Hi, Habr! About phishing iCloud data in Brazil, Russia and the CIS countries is entertaining to read exactly to the moment you yourself become a participant in such incidents.

The current scheme has not changed, see how it works:

November 26, 22:45
')
Incoming call from an unfamiliar number, from a friend - she has trouble. In the theater, taking advantage of the confusion in the lobby, the thieves pulled a brand new, freshly bought iPhone XS out of the bag. A girl in a panic, she saved up for an expensive gadget for a very long time. The stolen gadget is off, the sim card is (most likely) removed.

Without losing time, I tell you how to access the iCloud website and enable “Lost mode” on the iPhone. Since the contact number has not yet been recovered, we indicate in the message the phone number of the username Kpyto — that is why I can tell this story as a participant in the events.

What can be seen through iCloud? The device is turned off, the last location is not near the theater, within a few kilometers.

November 27, 11:56

I receive an SMS message with the following text (I specify the URL through spaces):

 ihone XS   27.11.2018  11:55.     : https:// icloud. com. id-apple. info/ ?id=002.86.053   Ale 

The sender of the message is the alphanumeric inscription “Support”.

Without losing a second (oh no!), I cheerfully redirect (stop !!) the text of an SMS message to a friend.
Not very smart - oh yeah. It seems that the bill goes on for a second, now we are going to find out where the thieves are, the police will delay them hot on the trail, the pulse is quickened, what is the result?

And here I once again re-read the URL address. The attentive reader does not need to explain, but I still do it - it leads to a phishing site, a fake iCloud. Retrieve the sent message late, a friend managed to enter a username and password on a phishing page.

November 27, 11:58

The iPhone XS disappears from the “My devices” section in iCloud, its tracking is no longer available. The attackers dumped the gadget, entered the “missing link” - the login and password from iCloud, and now they can safely sell the stolen one.

November 27, 11:59

Site

 https:// icloud. com. id-apple. info/ 

begins to "redirect" to the official iCloud website.

Nowadays

What did I find out? An official request to the operator gave no results. "Alphanumetric" number of the sender is issued only to legal entities. The police must submit a request for this information - it is not known whether it will be possible to find out something on this issue.

Domain intruders

 id-apple. info   icloud. com 

registered with REG.RU registrar A request has been filed with CERTGIB to check a “suspicious” site. No response from them has yet been received.

Instead of an afterword

Pay attention to the words from which the URL and data of the sender of the SMS are compiled: “id apple icloud support” - it is very difficult to find the mention of a fake website by such words, even if the victims publish information about phishing somewhere. Perhaps this publication will help someone in the future to remain vigilant.

Even if you are a technically savvy specialist, and are able to recognize phishing using elementary logic, this does not mean that at the time of emotional turmoil you will not misfire. “Forward” text from SMS to instant messenger is just a matter of a second, and this was my mistake.

Dumb Phishing still works great. Apple does not send SMS messages about the device found. You should not save for a long time on an expensive gadget, so you do not regret so much in case of loss. Be careful not to repeat the mistakes of others!