• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   iPhone Phishing Scam Crosses Over Physical Crime

iPhone Phishing Scam Crosses Over Physical Crime

  • Posted on:May 4, 2017 at 7:28 pm
  • Posted in:Bad Sites, Social
  • Author:
    Fernando Mercês (Senior Threat Researcher)
0

Last late April a friend of mine had his iPhone stolen in the streets—an unfortunately familiar occurrence in big, metropolitan areas in countries like Brazil. He managed to buy a new one, but kept the same number for convenience. Nothing appeared to be out of the ordinary at first—until he realized the thief changed his Facebook password.

Fortunately, he was able to recover and update it, as his phone number was tied to his Facebook account. But a pickpocket accessing his victim’s Facebook account is quite unusual. After all, why would a crook be interested with his victim’s Facebook account for when the goal is usually to use or sell the stolen device? It didn’t stop there; a day after, my friend curiously received a phishing SMS message on his new phone.

What’s interesting here is the blurred line between traditional felony and cybercrime—in particular, the apparent teamwork between crooks and cybercriminals that results in further—possibly more sophisticated—attacks.


Figure 1: SMS message with a link to a phishing page

The SMS message, written in Portuguese, translates to: “Dear user: Your device in lost mode was turned on and found; access here and view its last location:”. The message was accompanied with a link pointing to hxxp://busca-devices[.]pe[.]hu, which we found to be a phishing page with a log-in form asking for Apple ID credentials.

We then checked the last location of his stolen iPhone, the official iCloud website indeed confirmed that it was where he had the phone snatched.


Figure 2: Phishing page asking for Apple ID credentials

Connecting the dots, it appears the modus operandi is to physically steal the victim’s phone (while in use, so they can still access the apps), uncover the device’s number, then try changing the password of installed social networking (and possibly email) apps—probably to extort the victim in the future—before turning the stolen device off as soon as possible. Attackers then try to grab the victim’s Apple ID credentials using a phishing page and a socially engineered SMS message pretending to be Apple. Apart from perpetrating identity theft, getting their hands on Apple credentials allows them to disable the Activation Lock feature in iOS devices which would enable them to wipe the phone (as part of an attack, or for them to reuse the device).


Figure 3: iCloud phishing page advertised in the Brazilian underground

Interestingly, we came across an iCloud phishing page peddled for R$135 (roughly equivalent to US$43 as of May 4, 2017) during one our recent forays into the Brazilian underground. The phishing page offered for rent came with a video tutorial explaining how the service works. Coincidence? While there may be no direct correlation, it wouldn’t be surprising if it somehow intersects with my friend’s iPhone scam situation—given how Apple credentials are one of the commodities sold in Brazil’s online underworld. In fact, this kind of attack has been reported in Brazil as early as 2015.

Lessons Learned

The moral of my friend’s story? Traditional crime and cybercrimes are not mutually exclusive and can, in fact, work together in seemingly bigger attacks or malicious schemes. Another lesson learned? Physical security strengthens cybersecurity. This rings true—even intuitive—not only to individual end users. Organizations understand that the risks of attacks are just as significant if their workplace’s perimeters aren’t as properly secure as their virtual/online walls.

Indeed, today’s increasingly intricate—and in a lot of cases, brazen—attacks, whether physical or in cyberspace, call for being more proactive. Being aware of red flags in phishing scams, securing the privacy of mobile apps, and adopting best practices for BYOD devices, are just some of them. These are complemented by physically securing mobile devices—from password-protecting important documents to employing biometrics or strong PINs to prevent unauthorized access to the device’s apps.

Users can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Apple devices (available on the App Store) that can monitor and block phishing attacks and other malicious URLs. For organizations, especially those that use BYOD devices, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

With help from our colleagues from PhishLabs, we were able to take down the phishing pages that were still online. We also disclosed to Apple our findings related to this threat. The domains we uncovered related to this scam are in this appendix.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Brazilian underground marketiphonephishingPhysical Crime

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.