Two weeks ago, I was on holiday in Turin, Italy and made a boo boo. I forgot my phone in our rental car for a two hour visit to a local outdoors spa (Acquajoy, great fun especially for the kids!). The end result was unfortunate: when we returned to the car, a window was smashed and my iPhone stolen.
I immediately did the obvious things, i.e. used my wife’s phone to call mine (as expected, it was powered off), marked the phone lost in Find my iPhone app, entered a text to display on the phone in case it ever returns online, clicked all the “send me email when the phone returns online” checkboxes and drove for lunch. Nobody could access my data on the phone and since it’s connected to my iCloud account, others can’t reactivate the phone for themselves.
We got the car window fixed in a matter of hours, I later bought a new phone etc etc, but then yesterday — eleven days after the phone was stolen — the most interesting thing happened: I got an SMS and an email notifying that the phone was found!
The email looks exactly like an Apple email should. The sender is “Apple”. Google Inbox, Apple Mail and the traditional Gmail all let the email pass as non-suspicious. All the links in the footer lead to the right places.
I of course rushed to the address on the link and then started typing my credentials, but then suddenly stopped. Something was just not right.
At this point it’s probably best to note that I’m sort of professional. I’m managing director in a company that builds and supports large scale websites. We deal with web stuff all day long. I’m pretty sure many people would have just punched in their apple id and password and only then wondered why the login doesn’t work.
It does look very convincing, doesn’t it? All the links work, there’s jQuery features in place for a smooth user experience etc.
Let me take you inside the mind of a person who’s lost their phone for a while. You’re of course bummed that it got stolen in the first place. Everybody blames themselves at least a bit. Then, you set all the notifications on for notifying if it ever finds its way back online. Finally, you sort of forget it — and when messages finally arrive that it’s found, you rush at full speed to learn about your dear phone’s adventure.
Looking at the page above, there were two things that alarmed me. First, the address seemed a little off. Not really something Apple would use, is it? The real thing, however, was that connection to the server is not encrypted — you would see it on the address bar, like on a genuine Apple page below:
The lock and green text on the address bar show that the connection is secure and the site really belongs to Apple Inc.
Digging deeper, I noticed that the email was actually not from Apple, but from [email protected]. The website is not registered to Apple, but some useless company in Nassau. The “iCloud login” makes a great shake gesture when submitting the credentials and says your account name or password invalid. While of course sending the “invalid” credentials to a save.php file for future exploitation.
Oops, there goes my data.
As mentioned above, you can’t activate an iPhone (or any iOS device for that matter) as long as it’s connected to someone’s iCloud account. However, when you steal a phone, you can perfect the crime by stealing the poor bastard’s identity as well. Then just log on to Find my iPhone, decouple the account from the device, and poof, you have an unlocked phone!
As far as I know, this was the first time I was targeted personally by an attempted identity theft. The scammer did very many things very right and nearly got me to give up my account details. Maybe if I’d read the email before looking at the SMS (in which the strange address was a bit more prominent), they would’ve gotten me.
What strikes me the most is that everything seemed very “right” and professional. The email and the website content looked great, my phone really was an iPhone 6 and they even got the timezone right in the email.
The email raised no alerts on any email client I use, including Google Inbox, mail.google.com and Apple Mail. No web browser, mobile or desktop, show any alarms on the fake site. Google.com knows virtually nothing about the site, the email address or the (probably fake) US phone number the SMS was from. Very well done.
As far as I can guess (and if the phone doesn’t reveal the iCloud email when you turn it on), they used the “Medical ID” feature on the phone to see who it belongs to and thanks to my strange name found me on wunderkraut.com along with my email address and phone number (for sending the messages to) — in fact, I did check the site analytics and found that my profile had one hit from Google the next day the phone was stolen.
Whatever the actual method, a real person really made an effort to screw me over.
Of course there’s the obvious — don’t leave valuables in the car. Then there’s the data protection stuff: If you don’t have passcode enabled on your device, enable it today. Also, remember to back up all data constantly so you won’t miss it when you for any reason lose your device. There are simple and cheap cloud-based services available on all mobile ecosystems. Also, wherever possible, use 2-factor authentication (usually password + a code in an SMS message) so that a password alone is never enough for stealing your identity.
Then the new one — at least for me: If you ever lose your iPhone, iPad or iPod, be extra alert for upcoming identity theft attempts. This is what Google.com and Apple should’ve told me 12 days ago when I searched for what to do. The scam was so professional with perfect English and mobile responsive web pages that I consider myself lucky not to have given away my password. And as said, I’m sort of a professional.
In retrospect I’m pretty proud of myself for catching the scam just before I made irreparable damage and gave my password to the same asshole who’s holding my stolen phone. I’m also glad for “being warned” before something more serious could happen. We do run a sizable business and I’ve read stories of reputable companies losing millions in online identity thefts. Let’s all take a moment to think about how we could get scammed.
Hopefully this post helps prevent at least one online scam and thus doesn’t feed the growing monster of internet fraud.