Joonas Kiminki, the co-founder and managing director of a Drupal coding company in Finland, has been one of the recent targets of ongoing phishing attacks, which seem to target users who have had their iPhones lost or stolen (via Hackernoon). When Kiminki’s iPhone 6 got stolen out of a rented automobile, he took all the basic steps one should take upon losing an iPhone, but those measures appear to be what these phishing attacks take advantage of.
He marked the device as lost in the Find my iPhone app, while enabling an email alert for when it comes online and sending it a text message to appear on the device’s screen. Eleven days later, he received an SMS and email notifying him that the iPhone had been found. The email from “Apple” wasn’t flagged as suspicious by Google Inbox (shown above) showed a street location and correctly named his device.
While Kiminki says he did get excited for a moment, his coding experience gave him a pause before he could enter his iCloud login credentials on the web page the email and text sent him to.
Looking at the page above, there were two things that alarmed me. First, the address seemed a little off. Not really something Apple would use, is it? The real thing, however, was that connection to the server is not encrypted?—?you would see it on the address bar, like on a genuine Apple page.
Digging deeper, I noticed that the email was actually not from Apple, but from email@example.com. The website is not registered to Apple, but some useless company in Nassau. The “iCloud login” makes a great shake gesture when submitting the credentials and says your account name or password invalid. While of course sending the “invalid” credentials to a save.php file for future exploitation.
So the takeaway from Kiminki’s case is simple. Expect to be targeted if you lose your iPhone and make sure to turn on Apple’s two-factor authentication on your iCloud account.