IBM X-Force Incident Response and Intelligence Services (IRIS) researchers recently went down the rabbit hole of a physical iPhone theft that was followed by a SMiShing campaign designed to unlock the phone for resale on the black market. As we looked into what was behind the phish, we found a thriving and large-scale operation of over 600 phishing domains designed to rob Apple users of their iCloud credentials.

This type of scam, which began gaining momentum in 2017, is happening in large cities, especially during major events like concerts or information security conferences. Having looked into similar cases, we learned that attackers steal phones, manage to lure users into divulging their iCloud credentials, automate unlocking the devices and complete the process by illegally reselling them on the black aftermarket of iDevices and pricey tech.

Smartphones have become one of the most personal pieces of technology humans have ever owned and used. While these devices come from a plethora of manufacturers and are available in a few different operating systems, Apple devices, especially iPhones, have often been more expensive than other similar smartphones.

Pricey tech has always been a lucrative business for thieves, allowing them to resell technology for prices close to their market value — and that’s not new. Thieves everywhere used to steal computers, then laptops and now smartphones and wearables, moving with the times. But the theft of iPhones has become a multimillion-dollar operation since it became the business of organized crime rings that steal them by the masses.

iPhishing for a Whale

Is there more than meets the eye in these attacks? Apparently, there is. IBM X-Force revealed a targeted spin that ups the ante: If the stolen phone belongs to an important enough corporate employee, say a security professional working for a tech giant, it could go for as much as $50,000, especially if the thieves can also provide the victim’s iCloud credentials in a timely manner.

To do that, the criminal has to figure out whose phone they stole, in real time, before they move on to the next person. One of the best places to do that is during cybersecurity and tech conferences, where many major companies send executives and senior staff to meet clients and interact with peers.

An iPhone Walks Into a Bar

X-Force IRIS has been receiving information from people in the security industry who had their phones stolen during the busy conference season in Las Vegas. Apparently, stealing phones when people are at a bar is a popular endeavor for the crime rings involved in this theft. Similar reports have already been blogged about by a Kaspersky employee who went through the same ordeal after her phone was stolen while at a bar in Moscow.

Stealing an Apple device can be profitable for thieves and pick-pockets, which is why Apple installed a special application on the device that can help its rightful owner find it if it’s ever missing. The FindMyiPhone option has to be enabled, and then the app can locate the phone’s whereabouts when it beacons a signal from the network around it. Unfortunately, not that many users enable this option and only look it up once their phone is already gone.

Apple also allows owners to lock their phones, remote wipe data and render them rather useless to thieves who might have gotten their hands on the device. While this feature has lowered the number of devices stolen by up to 40 percent in some parts of the U.S., it is not as intimidating to professional criminals.

Enter: iCloud SMiShing

So how do smartphone theft rings get over the phone lock hurdle? They scam the user and make them unwittingly reveal their iCloud credentials.

Within hours of stealing an iPhone, attackers run it through open-source tools that inform them whether or not the user has activated the FindMyiPhone feature. They also use the device’s unique IMEI number to get information about the exact model of the phone and proceed to send the victim a custom-tailored SMS with a link to an iCloud phishing site.

These SMS messages are not going to stop for at least a month, attempting to lure the victim into responding over and over. In one case we investigated, a person who had their iPhone stolen began receiving SMiShing messages just a few hours after the theft. The first malicious text message was received on August 9, 2019 and continued periodically until at least September 11, 2019. Note the convincing ploys being sent in each message, urging the legitimate owner to take action.

Date/Time 1 Indicated Sender SMS Contents
Aug. 9, 2019
1700 UTC
SMS #1 – Spear Phish

Indicated Sender: Not recorded


“Your lost iPhone XS Max was located today. View last known location at”

Aug. 22, 2019
0202 UTC
SMS #2 – Spear Phish

Indicated Sender:
[email protected]

Valued Customer
Your lost iPhone has been returned to the Apple Store. Please reply to schedule it’s return
Apple Support.Copyright © 2019 Apple ▫2Inc
All rights reserved.
Aug. 24, 2019
0212 UTC
SMS #3 – Spear Phish

Indicated Sender:
[email protected]

Security Alert

Your Apple ID was used to setup ApplePay on SeaDaddy’s iPhone X.
if this wasn’t you, reply “unauthorized”

Aug. 26, 2019
2104 UTC
SMS #4 – Spear Phish

Indicated Sender:


Your lost iPhone XS Max was located today.
View last known location at

Sep. 8, 2019
2204 UTC
SMS #5 – Spear Phish

Indicated Sender:

Dear Customer,
Your lost iPhone XS Max has been turned on and connected to the network at 02:04 PM PDT. To view the last available location of your iPhone XS Max follow this link:
Apple Support ▫3
Sep. 9, 2019
1835 UTC
SMS #6 – Spear Phish

Indicated Sender:

Dear Customer,
Your lost iPhone XS Max has been turned on and connected to the network at 10:35 AM PDT. To view the last available location of your iPhone XS Max follow this link:
Apple Support ▫3
Sep. 10, 2019
2304 UTC
SMS #7 – Spear Phish

Indicated Sender:
+1(866) 703-7776

Apple Alert:
Your lost iPhone XS Max was recently located. View the location at:
Sep. 11, 2019
0040 UTC
SMS #8 – Spear Phish

Indicated Sender:
+1(866) 703-7776

Apple Alert:
Your lost iPhone XS Max was recently located. View the location at:
Sep. 11, 2019
1751 UTC
SMS #9 – Spear Phish

Indicated Sender:
+1(866) 703-7776

Apple Alert:

A message was written on your iPhone XS Max.
View the message:

Scroll to view full table

1 Except where exact times are given, times are estimates only.
2, 3 In the actual SMS, this square was actually the Apple “apple” symbol.
4 Short code format,

A worried and eager victim is all too likely to open this type of phish and submit their credentials to a fake site, which will enable the criminals to later take over the iCloud account and unlock that iPhone by removing it from the iDevice list on the account.

The thief who has the phone in their hands will then be able to use the phone as their own and sell it as they see fit.

Hundreds of Fake Domains

The anatomy of this scheme can look rather simple from a bird’s eye view:

Figure 1: The anatomy of the attack campaign analyzed by X-Force IRIS

Behind the scenes, however, there’s an entire web of fake iCloud domains and illegal unlocking services operated by fraudsters who help crime rings net millions of dollars a year in stolen iPhone resale.

A Vast iCloud Phishing Infrastructure

The SMiShing messages X-Force IRIS had in hand enabled us to delve deeper into their source. Beginning with the initial five domains we found in those messages, additional links were exposed.

Figure 2: iCloud phishing domains sent in malicious SMS messages

Note in the image below that the purpose of the domain name “com-” prefix (e.g. is not entirely clear. However, if one pivots to subdomains, it is more obvious that the ambiguous name format is likely a tactic chosen to appear legitimate, be more applicable with many subdomain name variations and evade automated brand monitoring/trademark infringement detection.

Figure 3: iCloud phishing subdomains designed to evade brand abuse detection

As we continued to look into the domain details of each of these phishing sites, some pivots quickly stood out, as a large campaign and effort, almost exclusively focused on targeting Apple device users and/or Apple account holders. Using stronger pivots (e.g., registrant email addresses, SSL certificates), X-Force IRIS discovered scores of other related, fake “Apple” domains and other data points of intelligence value.

Figure 4: The current attacker registrant email and its associated (Apple-centric) phishing domains

Figure 5: Pivoting from the attacker’s registrant name to additional infrastructure, both past and present

Figure 6: Attacker’s registrant email addresses point to additional Apple-themed phishing domains

Figure 7: Additional pivoting identifies new fake Apple phishing infrastructure

The next line of pivoting revealed something that goes beyond fake Apple domains. What we see is likely a malicious Nameserver (DNS) and an illegal mobile phone unlocking service. The likely malicious DNS server,, is not only the nameserver for one of the original five SMiShing domains (, but a DNS SOA email address is common to more than one domain.

Pivoting from that nameserver led us to 67 additional malicious “Apple” domains, some of which were not classified as malicious at the time of the investigation.

Figure 8: Potentially malicious DNS reveals 67 additional Apple phishing sites

A Linked Phone Unlocking Service Emerges

We observed different characteristics from the original SMiShing domains that sent SMS messages to the victim whose phone was stolen. One of the domains,, used an SSL certificate whose subject contained the string That same certificate was used by 116 additional domains, of which nearly all are fake Apple domains except for the initial one,

Figure 9: One domain’s certificate leads to 166 additional Apple phishing domains

That central domain,, turned out to be an illegal service that unlocks stolen phones. WHOIS information showed location data that ambiguously purports to hail from two places: India and Bangladesh.

The WHOIS data also hints of an operational security mistake. For example, some of the recently registered, malicious domains also featured generic Indian addresses for all the address fields except for the country field, which instead of “IN” (India) showed “AT” (Austria).

Figure 10: WHOIS data from the same registrant

A closer look into the A1unlock service indicates a new element. In addition to stealing iPhones and SMiShing Apple customers, it unlocks Apple mobile devices and possibly other mobile device brands. For example, X-Force IRIS found a cached web page for the alleged A1unlocker iPhone unlocking service. Those pages list a U.K. contact phone number, advertising the service as a way to remotely unlock phones.

Figure 11: The domain home page

Pivoting from an SSL certificate for one of the original Apple SMiShing domains, we found 116 other fake Apple SMiShing domains. One of these malicious Apple imposter domains, icloud[.]com[.]livemaps[.]us (, hosted the A1unlocker website.

Searching, one quickly sees a multitude of other malicious Apple domains that redirect to the legitimate Apple domain, This indicates the malicious Apple phishing domains redirect victims to the legitimate domain after login credentials are entered, a common attacker tactic.

Figure 12:[.us] hosts the unlocking service of A1unlocker

More About A1unlocker

Historical registrant data for shows the domain is registered to the name Safayat Hossain, using the email [email protected]. Searching that email address led to an old 2009 post from a forum called GSM-Forum ( A user called “safayat” (listed location: Bangladesh) requested an MEP Server account from a user named “FuriouSTeaM.”

The post also mentioned “FuriousGold.” Having searched that term, X-Force IRIS found FuriousGold is advertised online as a mobile phone solution that can supposedly “unlock, flash, and repair over 700 mobile phone models.”

Figure 13: Forum post likely authored by the registrant of the A1unlocker domain

iPhone Owners Be Warned

The investigation into this vast web of iCloud phishing domains helped our team understand the scope of these types of operations and the parties that may take part in operating them.

This scam applies to individuals who purchase iDevices as well as companies that issue them to employees. Most significant is the targeted nature of some attacks, especially those occurring when the thief stealing the phone physically attempts to engage the target to gain insight into who the owner is, what company they work for and what their role might be in order to assess the potential value of not just the phone, but also the data on the stolen device and access it might provide.

Some tips for professionals who have had their phones stolen during an event or night out include the following:

  • If your device is company-issued, report it to your security team immediately after the theft.
  • Use multifactor authentication (MFA) on all your devices and accounts.
  • Set up a long lock-screen code (8 digits) or use a biometric unlock.
  • Turn off the notification options on the lock screen.
  • Enable FindMyiPhone on the device.
  • Keep your device and apps updated.
  • Expect to be phished after the phone is stolen. If you receive messages, examine them thoroughly before ever considering responding.
  • If you reach a supposed Apple/iCloud domain, check that it’s the real domain or type the correct domain into your browser and only enter your credentials there. It helps to have a password manager.

Indicators of Compromise (IoCs)

Get the complete list of IoCs for this investigation on X-Force Exchange.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…