Apple’s “find my iPhone” is one of the most useful reasons to be connected to iCloud. If your iPhone is lost you can leave a message onscreen for the finder to contact you.
Since the introduction of iOS7, the activation of “find my iPhone” also prevents erasing/resetting of the phone without the iCloud credentials (email and password). Even if a new version of iOS is installed, no activation of the phone is possible without iCloud credentials.
The feature is clearly designed to make theft of iPhones less attractive, however, some criminals have found a way to get the credentials using a targeted phishing attack aimed at the phone owner. A phone owner who had left a contact message for her lost iPhone received the following SMS shortly after:
SMS message provided by Lior Ben David, CEO of LBD Cyber security Ltd.
The link leads to an authentic looking iCloud login page – but is clearly a phishing site. The original iPhone owner, obviously wanting to know more about the lost phone would enter credentials and the thieves would then be able to unlock and activate the stolen phone.
The "Credential Retrieval Service" Scenario
Further research by CYREN reveals that the registrant of the domain “www.icloudset.com” has also registered over 30 similar domains in the past year including: “icloudguide.com”, “icloudinbox.com”, and “icloudprotect.com”. Some of these have also been used in large scale phishing attacks detected by CYREN and the domains are therefore being used for both broad phishing and spear/directed phishing attacks.
We believe a likely scenario is that the owner of the phishing sites is providing a “credential retrieval service” for anyone willing to pay. The flow is likely as shown below.
CYREN has blocked all of the domains linked to the site registrant.
Thanks to Lior Ben David, CEO of LBD Cyber security Ltd. for bringing us the story and SMS sample.