Stolen iPhone & phishing attempt - an interesting story

jimthing · October 3, 2020, 7:17pm

A quick story of stolen iPhone and subsequent phishing attempt.

Background.

My iPhone 11 Pro Max was stolen a week ago (on Sat.26.Sep.2020). The thief walked into the empty (due to Covid) small London independent fast food restaurant I was in while grabbing some food. He put a map in my face babbling away in non-English, while quickly slipping my iPhone off my table and storming out and vanishing onto a busy street. As a reasonably streetwise Londoner, I wouldn’t typically have been taken in, but these thieves are cunning!

Obviously, I immediately reported the theft to the Police, my carrier (my SIM card has a PIN set, so couldn’t be used by the thief), and used Apple’s Find My app on my iPad Pro to set iPhone to erase.

Thief clearly turned it off immediately, as unfortunately, so far the device has only been turned on seemingly once for a very brief time since being stolen (on the other side of the city), thus the Find My device erase function still shows as Pending, and at the moment looks highly unlikely to ever be completed. I will therefore remove the stolen iPhone from my account after I buy a replacement in a couple of weeks. (silver lining: home insurance paid-out £1400 of the £1500, and as iPhone 12-series arrives in 2-3 weeks, I’ll simply wait to get a new one of those!)

Phishing SMS attempt (linking to fake Apple website).

This is the weird thing…
Today, exactly a week later (on Sat.03.Oct.2020), another family member on my Apple iCloud Family plan received an SMS (not an iMessage) from a sender with no phone number, featuring the following text+URL (note ‘Mike Smith’ is not my actual name for security reasons!):

Dear Mike Smith,

Your lost iPhone 11 Pro Max is online and connected to the internet.

Track live location: http://maps-findmy.com/fmis/474K

Note that this fake Find My URL only works at the full URL directory address (http://maps-findmy.com/fmis/474K), but shows a 404 page at the top level domain (http://maps-findmy.com). You can open these URLs; it does nothing malicious directly (obviously don’t enter your A-ID details!).

Questions that arise.

Given the text in the SMS says my stolen device was “online and connected to the internet”, as a user, I’m left wondering the following security questions:

How did the the thieves get my Family members’ contact info, in order to send her a phishing attempt SMS for my stolen device?
How did the thieves get my name, as the SMS clearly has my full name on it (as you can see above)?

Anyway, as advised after phoning AppleCare, I emailed their phishing report email address, (reportphishiing@apple.com) attaching two screenshots (family members’ SMS message received on her iPhone, & my iPad Pro’s screen of the fake Find My phishing website).

jimthing · October 3, 2020, 7:37pm

Update:

The fake URL (http://maps-findmy.com/fmis/474K) seems to have been redirected to iCloud.com after I emailed Apple, AFAICS.

How they managed to do that so quickly, is anyone’s guess?

ron · October 3, 2020, 8:13pm

Likely using the emergency contact feature (press the power button 5 times, slide “Medical ID”).

schwartz · October 3, 2020, 8:52pm

Maybe by asking Siri “Whose iPhone is this?”

aforkosh · October 3, 2020, 9:18pm

Simpler that that:

They could hold down the side button to turn on the phone and, when the keypad came up for entering a password, hit the ‘Emergency’ button on lower left and then the ‘Medical ID’ button. If you’ve filled out the contact info completed, a phone number and relationship will show up for each entry.

jimthing · October 3, 2020, 9:34pm

@ron + @schwartz + @aforkosh

Thanks. Could be, but if he did either of those he’d surely have had to turn on the phone again, wouldn’t he, revealing its location?

I suppose he could have done so immediately after stealing it, before then turning it off.

But are opportunist thieves really that organised (I guess some are careerist!), as it all seems pretty pre-planned finding out both the phone owners name via Siri AND doing the emergency contact thing to get a contact to then use one week later to send a phishing SMS with link to high-end Find My copycat site.

Truly unbelievable, if true.

EDIT:
While obviously very helpful, this emergency contact thing is also a minor security flaw at the same time. The only thing I can think, is to keep it enabled (for the good reasons), but also be aware of phishing attempts later on using it.

ddmiller · October 3, 2020, 10:03pm

“Hey Siri, turn on airplane mode” - or pull down control center and turn airplane mode on as soon as the phone is powered on. (I have both Siri and control center turned off when the phone is locked myself, but those are not default settings.)

If you have a physical SIM in the phone, the thief could have pulled the SIM card before powering on as well.

jimthing · October 3, 2020, 10:26pm

@ddmiller
Yes, true. Just so many ways Find My isn’t going to work.

It’s so bloody stupid now for thieves to steal – why even flipping bother! It’s so unlikely they’ll get into iPhones to make them working again to use or presumably sell.

So AFAICT all they can do is either sell it on to an unsuspecting buyer as a ‘working’ phone, or strip/sell for parts at minimal return compared to a working device value.

Such a complete waste of time.

MMTalker · October 3, 2020, 11:05pm

Unfortunately they are, and the information that is on your phone is usually a lot more valuable than the phone itself. And thieves are getting better and better at homographs:

https://blogs.akamai.com/sitr/2020/05/watch-your-step-the-prevalence-of-idn-homograph-attacks.html

As Ron, Dana and Alan mentioned, it’s easy enough to find the name of a phone’s owner. A quick online search will turn up a lot of sites like Spokeo, CheckPeople and Public Records Directory that quickly displays info about almost everyone, often including relatives. Social media is another excellent potential source of contacts and information. There are also sites that will display the name and address of the owner of a particular phone number. I have managed to get my name removed from a few of them, but most of these sites will not cooperate. And more and more of them keep popping up, unfortunately.

jimthing · October 3, 2020, 11:51pm

@MMTalker
Interesting. The URL spoofing character thing, I know about. Although in my case, the URL of the site I was attempting to be taken was just a made-up URL with the words “findmy” chucked inside the URL (maps-findmy.com/fmis/474K – nothing related to any Apple/iCloud domain, lol!).

The online search sites you mention are all apparently US citizen based – and likely more of them due to the US’s more open directories and data collection laws.

MMTalker · October 4, 2020, 8:37pm

Genealogy sites are also a good source for crooks. A friend got what looked like a message from a bank that claimed she was a beneficiary of a deceased relative. It’s a good thing she checked the real bank.

schwartz · October 4, 2020, 9:04pm

Ancestry (.com) doesn’t release any info about living relatives in your family trees. I’d hope others did the same? But most of their info comes from public records so it’s likely the family info can be found online, if not on the genealogical sites themselves.

MMTalker · October 4, 2020, 10:51pm

Neither my friend, her family or I know for sure where the information about the dead relative was found, but there was no obits in the news or online. The last name of the family is unusual, and other family members had been active in genealogy sites. So identifying a dead relative and finding other family members online is not very difficult.

Simon · October 5, 2020, 2:15pm

Same here. It’s something I suggest to all my friends and family. For exactly this reason.

Sorry to hear about what happened to you, @jimthing. That really sucks. I hope at least you’ll enjoy your new iPhone 12. :)

jimthing · October 5, 2020, 2:32pm

Thanks.

The thing is, they may have some basic details from Siri, but they cannot actually do anything with them, as we’re all locked down security wise in our households (2FA, SIM cards locked on restart, aware of phishing, etc.). And I actually use Siri with phone screen off to quickly check things regularly, so the convenience is more to me than the lessor security factor mentioned.

European GDPR laws prevent data sharing; so the open registers thing mentioned above in the US is unlikely to be a vector of concern regarding this too, AFAICT.

davbro · October 6, 2020, 1:50am

(I have both Siri and control center turned off when the phone is locked myself, but those are not default settings.)

How do you get Control Center to be turned off when phone is locked?

ddmiller · October 6, 2020, 2:54am

Settings / Face ID & Passcode (or Touch ID & Passcode). It will prompt for your passcode and then it is an option under “allow access when locked”. You would turn it off to disallow access.

tim3 · October 7, 2020, 8:38pm

familysearch.org also doesn’t publish information for living persons. It might be possible, however, to learn identities of some family members via contributor profiles, and then make the connections. (I just wonder how often theives would take the time since there are faster ways of gathering info.)

MMTalker · October 7, 2020, 9:10pm

My guess is that they probably consider how lucrative the return on investment will be.

RM1 · October 8, 2020, 9:32pm

The answer for how to get emergency id without the erase request going through is probably a clear faraday bag. Best friend of the phone theif.