Update: Shortly after publishing this blog, we noticed that Safari was now showing the site as a phish:
Much information from our private and work related lives is stored in our smart phones. Losing a device or getting it stolen can be disastrous, way beyond the monetary loss.
Apple has a nifty feature which allows to remotely erase and lock your phone if you ever faced that problem and wanted to make sure your personal information would not fall into the wrong hands. At the same time, this renders the device useless for those not in possession of your ID and password.
"Find My iPhone includes a feature called Activation Lock that is designed to prevent anyone else from using your iPhone, iPad, or iPod touch if it's ever lost or stolen. Activation Lock is enabled automatically when you turn on Find My iPhone on a device using iOS 7 or later." Excerpt from Apple's support website.
This is an inconvenience for thieves who may want to resell those stolen phones on the black market, but crooks never lack imagination and seem to have found a way to circumvent this protection.
In a forum thread on popular site MacRumors, a user claimed that after her iPhone was stolen, she proceeded to wipe it and put it in Lost Mode, to prevent anyone from using it. Shortly after, she received a message letting her know the phone had been found but that she needed to go to a website and verify her Apple ID first.
The site was an almost exact replica of Apple's official iCloud.com and loaded fine in Safari (no security/phishing warning):
The trick is clever and not many people would suspect this is a fraudulent website. Add to this the euphoria of knowing your precious phone was allegedly found, and proceeding to enter your Apple ID and password seems like a no brainer.
Sadly, the website is a fake and the information entered in it is directly relayed to the crooks who stole your phone.
- Domain name: find.my-iphone.help
- Created on: 2015-12-10
- Registrar: Xin Net Technology Corporation
- Country: China
There were several other domains residing on the same server (188.8.131.52):
This attack is quite elaborate and there may be more to it than what we see on the surface while there is still some mystery around the operator's identity and the iPhone thieves. It's doubtful this was only used for a single attack, begging the question of how many more people lost or had their phone stolen and were redirected to this page?
Users should be particularly careful of schemes that leverage the emotions involved with the theft or loss of their devices. Online crooks have no shame in abusing their victims twice to get what they want.
Hat tip to Steven Eggleston for giving us the heads up on our Facebook page.