Phishers and iPhone Thieves Rolling Out Multimillion-Dollar Operations

April 9, 2020
| |
9 min read

IBM X-Force Incident Response and Intelligence Services (IRIS) researchers recently went down the rabbit hole of a physical iPhone theft that was followed by a SMiShing campaign designed to unlock the phone for resale on the black market. As we looked into what was behind the phish, we found a thriving and large-scale operation of over 600 phishing domains designed to rob Apple users of their iCloud credentials.

This type of scam, which began gaining momentum in 2017, is happening in large cities, especially during major events like concerts or information security conferences. Having looked into similar cases, we learned that attackers steal phones, manage to lure users into divulging their iCloud credentials, automate unlocking the devices and complete the process by illegally reselling them on the black aftermarket of iDevices and pricey tech.

Smartphones have become one of the most personal pieces of technology humans have ever owned and used. While these devices come from a plethora of manufacturers and are available in a few different operating systems, Apple devices, especially iPhones, have often been more expensive than other similar smartphones.

Pricey tech has always been a lucrative business for thieves, allowing them to resell technology for prices close to their market value — and that’s not new. Thieves everywhere used to steal computers, then laptops and now smartphones and wearables, moving with the times. But the theft of iPhones has become a multimillion-dollar operation since it became the business of organized crime rings that steal them by the masses.

iPhishing for a Whale

Is there more than meets the eye in these attacks? Apparently, there is. IBM X-Force revealed a targeted spin that ups the ante: If the stolen phone belongs to an important enough corporate employee, say a security professional working for a tech giant, it could go for as much as $50,000, especially if the thieves can also provide the victim’s iCloud credentials in a timely manner.

To do that, the criminal has to figure out whose phone they stole, in real time, before they move on to the next person. One of the best places to do that is during cybersecurity and tech conferences, where many major companies send executives and senior staff to meet clients and interact with peers.

An iPhone Walks Into a Bar

X-Force IRIS has been receiving information from people in the security industry who had their phones stolen during the busy conference season in Las Vegas. Apparently, stealing phones when people are at a bar is a popular endeavor for the crime rings involved in this theft. Similar reports have already been blogged about by a Kaspersky employee who went through the same ordeal after her phone was stolen while at a bar in Moscow.

Stealing an Apple device can be profitable for thieves and pick-pockets, which is why Apple installed a special application on the device that can help its rightful owner find it if it’s ever missing. The FindMyiPhone option has to be enabled, and then the app can locate the phone’s whereabouts when it beacons a signal from the network around it. Unfortunately, not that many users enable this option and only look it up once their phone is already gone.

Apple also allows owners to lock their phones, remote wipe data and render them rather useless to thieves who might have gotten their hands on the device. While this feature has lowered the number of devices stolen by up to 40 percent in some parts of the U.S., it is not as intimidating to professional criminals.

Enter: iCloud SMiShing

So how do smartphone theft rings get over the phone lock hurdle? They scam the user and make them unwittingly reveal their iCloud credentials.

Within hours of stealing an iPhone, attackers run it through open-source tools that inform them whether or not the user has activated the FindMyiPhone feature. They also use the device’s unique IMEI number to get information about the exact model of the phone and proceed to send the victim a custom-tailored SMS with a link to an iCloud phishing site.

These SMS messages are not going to stop for at least a month, attempting to lure the victim into responding over and over. In one case we investigated, a person who had their iPhone stolen began receiving SMiShing messages just a few hours after the theft. The first malicious text message was received on August 9, 2019 and continued periodically until at least September 11, 2019. Note the convincing ploys being sent in each message, urging the legitimate owner to take action.

Date/Time 1 Indicated Sender SMS Contents
Aug. 9, 2019
1700 UTC
SMS #1 – Spear Phish

Indicated Sender: Not recorded

FindMyiPhone

“Your lost iPhone XS Max was located today. View last known location at https://icloud.com.map-live.us/?AppID=2824”
Apple

Aug. 22, 2019
0202 UTC
SMS #2 – Spear Phish

Indicated Sender:
[email protected]

Valued Customer
Your lost iPhone has been returned to the Apple Store. Please reply to schedule it’s return
Apple Support.Copyright © 2019 Apple ▫2Inc
All rights reserved.
Aug. 24, 2019
0212 UTC
SMS #3 – Spear Phish

Indicated Sender:
[email protected]

Security Alert

Apple
Your Apple ID was used to setup ApplePay on SeaDaddy’s iPhone X.
if this wasn’t you, reply “unauthorized”

Aug. 26, 2019
2104 UTC
SMS #4 – Spear Phish

Indicated Sender:
844-444

FindMyiPhone

Your lost iPhone XS Max was located today.
View last known location at
https://icloud.com-track.us/?AppID=2824

Sep. 8, 2019
2204 UTC
SMS #5 – Spear Phish

Indicated Sender:
525-48

Dear Customer,
Your lost iPhone XS Max has been turned on and connected to the network at 02:04 PM PDT. To view the last available location of your iPhone XS Max follow this link:
www.appIeid.net/u98f6h
Sincerely,
Apple Support ▫3
Sep. 9, 2019
1835 UTC
SMS #6 – Spear Phish

Indicated Sender:
525-48

Dear Customer,
Your lost iPhone XS Max has been turned on and connected to the network at 10:35 AM PDT. To view the last available location of your iPhone XS Max follow this link:
www.appIeid.net/u98f6h
Sincerely,
Apple Support ▫3
Sep. 10, 2019
2304 UTC
SMS #7 – Spear Phish

Indicated Sender:
+1(866) 703-7776

Apple Alert:
Your lost iPhone XS Max was recently located. View the location at:
https://icloud.com.rl1.live/T2837
Sep. 11, 2019
0040 UTC
SMS #8 – Spear Phish

Indicated Sender:
+1(866) 703-7776

Apple Alert:
Your lost iPhone XS Max was recently located. View the location at:
https://icloud.com.rl1.live/T2837
Sep. 11, 2019
1751 UTC
SMS #9 – Spear Phish

Indicated Sender:
+1(866) 703-7776

Apple Alert:

A message was written on your iPhone XS Max.
View the message:
https://icloud.com.rl1.live/T2837M

1 Except where exact times are given, times are estimates only.
2, 3 In the actual SMS, this square was actually the Apple “apple” symbol.
4 Short code format, https://en.wikipedia.org/wiki/Short_code

A worried and eager victim is all too likely to open this type of phish and submit their credentials to a fake site, which will enable the criminals to later take over the iCloud account and unlock that iPhone by removing it from the iDevice list on the account.

The thief who has the phone in their hands will then be able to use the phone as their own and sell it as they see fit.

Hundreds of Fake Domains

The anatomy of this scheme can look rather simple from a bird’s eye view:

Figure 1: The anatomy of the attack campaign analyzed by X-Force IRIS

Behind the scenes, however, there’s an entire web of fake iCloud domains and illegal unlocking services operated by fraudsters who help crime rings net millions of dollars a year in stolen iPhone resale.

A Vast iCloud Phishing Infrastructure

The SMiShing messages X-Force IRIS had in hand enabled us to delve deeper into their source. Beginning with the initial five domains we found in those messages, additional links were exposed.

Figure 2: iCloud phishing domains sent in malicious SMS messages

Note in the image below that the purpose of the domain name “com-” prefix (e.g. com-track.us) is not entirely clear. However, if one pivots to subdomains, it is more obvious that the ambiguous name format is likely a tactic chosen to appear legitimate, be more applicable with many subdomain name variations and evade automated brand monitoring/trademark infringement detection.

Figure 3: iCloud phishing subdomains designed to evade brand abuse detection

As we continued to look into the domain details of each of these phishing sites, some pivots quickly stood out, as a large campaign and effort, almost exclusively focused on targeting Apple device users and/or Apple account holders. Using stronger pivots (e.g., registrant email addresses, SSL certificates), X-Force IRIS discovered scores of other related, fake “Apple” domains and other data points of intelligence value.

Figure 4: The current attacker registrant email and its associated (Apple-centric) phishing domains

Figure 5: Pivoting from the attacker’s registrant name to additional infrastructure, both past and present

Figure 6: Attacker’s registrant email addresses point to additional Apple-themed phishing domains

Figure 7: Additional pivoting identifies new fake Apple phishing infrastructure

The next line of pivoting revealed something that goes beyond fake Apple domains. What we see is likely a malicious Nameserver (DNS) and an illegal mobile phone unlocking service. The likely malicious DNS server, welcomewebname.com, is not only the nameserver for one of the original five SMiShing domains (map-live.us), but a DNS SOA email address is common to more than one domain.

Pivoting from that nameserver led us to 67 additional malicious “Apple” domains, some of which were not classified as malicious at the time of the investigation.

Figure 8: Potentially malicious DNS reveals 67 additional Apple phishing sites

A Linked Phone Unlocking Service Emerges

We observed different characteristics from the original SMiShing domains that sent SMS messages to the victim whose phone was stolen. One of the domains, map-live.us, used an SSL certificate whose subject contained the string a1unlocker.com. That same certificate was used by 116 additional domains, of which nearly all are fake Apple domains except for the initial one, a1unlocker.com.

Figure 9: One domain’s certificate leads to 166 additional Apple phishing domains

That central domain, a1unlocker.com, turned out to be an illegal service that unlocks stolen phones. WHOIS information showed location data that ambiguously purports to hail from two places: India and Bangladesh.

The WHOIS data also hints of an operational security mistake. For example, some of the recently registered, malicious domains also featured generic Indian addresses for all the address fields except for the country field, which instead of “IN” (India) showed “AT” (Austria).

Figure 10: WHOIS data from the same registrant

A closer look into the A1unlock service indicates a new element. In addition to stealing iPhones and SMiShing Apple customers, it unlocks Apple mobile devices and possibly other mobile device brands. For example, X-Force IRIS found a cached web page for the alleged A1unlocker iPhone unlocking service. Those pages list a U.K. contact phone number, advertising the service as a way to remotely unlock phones.

Figure 11: The a1unlocker.com domain home page

Pivoting from an SSL certificate for one of the original Apple SMiShing domains, we found 116 other fake Apple SMiShing domains. One of these malicious Apple imposter domains, icloud[.]com[.]livemaps[.]us (107.182.225.93), hosted the A1unlocker website.

Searching Urlscan.io, one quickly sees a multitude of other malicious Apple domains that redirect to the legitimate Apple domain, apple.com. This indicates the malicious Apple phishing domains redirect victims to the legitimate domain after login credentials are entered, a common attacker tactic.

Figure 12: www.icloud.com.livemaps[.us] hosts the unlocking service of A1unlocker

More About A1unlocker

Historical registrant data for a1unlocker.com shows the domain is registered to the name Safayat Hossain, using the email [email protected]. Searching that email address led to an old 2009 post from a forum called GSM-Forum (GSMhosting.com). A user called “safayat” (listed location: Bangladesh) requested an MEP Server account from a user named “FuriouSTeaM.”

The post also mentioned “FuriousGold.” Having searched that term, X-Force IRIS found FuriousGold is advertised online as a mobile phone solution that can supposedly “unlock, flash, and repair over 700 mobile phone models.”

Figure 13: Forum post likely authored by the registrant of the A1unlocker domain

iPhone Owners Be Warned

The investigation into this vast web of iCloud phishing domains helped our team understand the scope of these types of operations and the parties that may take part in operating them.

This scam applies to individuals who purchase iDevices as well as companies that issue them to employees. Most significant is the targeted nature of some attacks, especially those occurring when the thief stealing the phone physically attempts to engage the target to gain insight into who the owner is, what company they work for and what their role might be in order to assess the potential value of not just the phone, but also the data on the stolen device and access it might provide.

Some tips for professionals who have had their phones stolen during an event or night out include the following:

  • If your device is company-issued, report it to your security team immediately after the theft.
  • Use multifactor authentication (MFA) on all your devices and accounts.
  • Set up a long lock-screen code (8 digits) or use a biometric unlock.
  • Turn off the notification options on the lock screen.
  • Enable FindMyiPhone on the device.
  • Keep your device and apps updated.
  • Expect to be phished after the phone is stolen. If you receive messages, examine them thoroughly before ever considering responding.
  • If you reach a supposed Apple/iCloud domain, check that it’s the real domain or type the correct domain into your browser and only enter your credentials there. It helps to have a password manager.

Indicators of Compromise (IoCs)

Get the complete list of IoCs for this investigation on X-Force Exchange.

Christopher Kiefer
Threat Hunt and Discovery Analyst

Christoper Kiefer is a threat hunt and intelligence analyst for the IBM X-Force IRIS team. Christopher has 7 years of information security experience (IS). C...
read more

Banner ad leading to the Cost of a Data Breach Report for 2020.
Banner ad leading to the Cost of a Data Breach Report for 2020.
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00