Lost an iPhone? Here’s How a Criminal Would Wipe It Clean for Resale
Ever wonder how despite Apple making locking a phone so easy after it's stolen, we still see daily cases of iPhones being stolen? Security researchers have shared their findings revealing that the physical crime is now augmented by cybercrime to get "bigger payouts." Once a thief has managed to steal an iPhone, they avail "Fraud as a Service" kind of offers that empower them with phishing kits and other services, making it possible to unlock the stolen iPhone.
With prices of flagship mobile phones skyrocketing, their resale value has also increased giving thieves even more incentive. However, it is also far more easy now than ever before to lock your phones when they are stolen. Both Android and iOS offer these functions that you can use to remotely wipe your device, track it, and keep it locked. But these aren't used by every victim as most of the users don't even look at the details of these features until their phone is actually stolen.
Steal iPhone > phish for iCloud credentials > remove device from account > resell it
Researchers at Trend Micro have revealed that there are actually entire criminal rings where physical theft meets cybercrime. Criminal hackers have long been offering their services for hire to unlock iCloud accounts of stolen iPhones to make them useful again. But, most of them appear to rely on phishing attacks - at least in part. "The fraudsters’ attack chain is relatively straightforward," Trend Micro writes.
"They spoof an email or SMS from Apple notifying victims that their device has been found. The eager victim, wanting their phone back, clicks on the link that will compromise their iCloud credentials, which is then reused to unlock the stolen device. The thieves will then subcontract third-party iCloud phishing services to unlock the devices. These Apple iCloud phishers run their business using a set of cybercriminal tools that include MagicApp, Applekit, and Find My iPhone (FMI.php) framework to automate iCloud unlocks in order to resell the device in underground and gray markets."
Cybercriminals running these iCloud unlocking businesses have their customers all around the world, including in the United States, France, India, Italy, Saudi Arabia, and others. Researchers wrote that the attackers benefit from the victim's panic and eagerness to get back their phone making these phishing attacks largely successful. Here's how it works:
While the team explored three tools including MagicApp, Applekit, and Find My iPhone (impersonating Apple's service), they added that are several others being used by criminals. In their research, Trend Micro notes that they often found all of these exploit kits working at the same time.
- FMI offers initial phishing capabilities, including providing the attacker with user’s iCloud information, phone number, passcode length, ID, GPS location, etc.
- AppleKit offers "iCloud Fraud as a Service" and creates a network of hijacked devices.
- MagicApp automates phone unlocking and offers a slew of services, including sending iPhone owner a fake GPS location making them believe their device has indeed been found.
Once the attackers get access to the iCloud (using login data provided by the user), they can unlock the device, use the content, or delete it for device resale. The face of crime is "no longer confined to the brick-and-mortar theft," Trend Micro wrote. "The online tools we’ve seen show how traditional felony and cybercrime can work concertedly - or even strengthen each other - towards bigger payouts for the bad guys," they added.
If you buy a secondhand phone, it is advised to verify with the vendor or the carrier that the device in question is not blacklisted. The Cellular Telecommunications Industry Association (CTIA) in the United States also enables users to check a device's IMEI for being stolen or blacklisted.