Cybercriminals have recently created multiple phishing sites in order to trick iOS device owners into providing login credentials for their iCloud accounts. The attackers appear to be focusing on users whose iPads and iPhones have been lost or stolen. It’s possible that the attackers are running this phishing operation as part of a service for iOS device thieves on underground forums.
In one particular case, a victim of iPad theft received an unsolicited message, informing him that his tablet had been found. The message then instructed him to click on a link to discover the location of his iPad.
Figure 1. Message sent to the victim of iPad theft
Because the term “i-cloud” is included in the URL provided in the fraudulent messages, the user may be fooled into assuming that the link is for Apple’s official iCloud site. However, the URL instead redirects the user to a phishing site that includes “icloud” in the URL and mimics the appearance of the real iCloud login page.
Figure 2. Fake iCloud login page
Figure 3. Real iCloud login page
The scammers are not only targeting iOS device owners who speak one specific language. The phishing sites are available in ten different languages: English, Spanish, Italian, French, German, Portuguese, Chinese, Russian, Vietnamese, and Indonesian.
Figure 4. Script that renders the language of the phishing site
Why target victims of iOS device theft?
iOS’ Find My iPhone feature includes Lost Mode, which lets users lock their devices if they have been lost or stolen. During the process of setting up this mode, users are given an option to write a message that will be displayed on the lock screen. This could include a phone number, allowing anyone who finds the device to contact the owner and let them know where the device is.
If the user manages to get their device back, they can turn off Lost Mode in two ways. They can either physically enter the pre-set passcode on the device or log into their iCloud account from an available device and disable this mode. Until Lost Mode is disabled, the smartphone or the tablet is useless.
In this campaign, the attackers’ ultimate aim is to acquire the user’s iCloud credentials in order to turn Lost Mode off and make the stolen device usable.
While Lost Mode is activated, criminals can take advantage of the details provided on the screens of lost or stolen devices. If the user has included a phone number on the lock screen, then the criminals send the fake notification to this number. Owners who are emotionally distressed due to the loss of their iPhone or iPad may easily fall for the scam, as they may be desperate to get their device back.
The criminal group could be carrying out this phishing scam as part of a service for thieves looking to unlock the devices they have stolen. The underground ecosystem always has demands for such a service and where there is demand, someone typically provides the supply.
Users should adhere to the following advice if they want to prevent this scam from succeeding:
- Be wary when receiving unsolicited messages from unknown sources and carefully examine the URLs of visited websites.
- Use a strong passcode to protect mobile devices. A complex, alphanumeric password is recommended, as four-digit passcodes may not be secure enough if a device is lost or stolen. Anyone can guess or brute-force their way into a device if they have the will and the time to make such attempts.
Norton users are protected against these phishing sites through the Safe Web service.