Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Iphone Security Operating Systems Privacy Software Apple Hardware Technology

Inside a Phishing Gang That Targets Victims of iPhone Theft (krebsonsecurity.com) 15

tsu doh nimh writes: Brian Krebs has a readable and ironic story about a phishing-as-a-service product that iPhone thieves can use to phish the Apple iCloud credentials from people who have recently had an iPhone lost or stolen. The phishing service -- which charged as much as $120 for successful phishing attempts targeting iPhone 6s users -- was poorly secured, and a security professional that Krebs worked with managed to guess several passwords for users on the service. From there, the story looks at how this phishing service works, how it tracks victims, and ultimately how one of its core resellers phished his own iCloud account and inadvertently gave his exact location as a result. An excerpt from the report via Krebs On Security: "Victims of iPhone theft can use the Find My iPhone feature to remotely locate, lock or erase their iPhone -- just by visiting Apple's site and entering their iCloud username and password. Likewise, an iPhone thief can use those iCloud credentials to remotely unlock the victim's stolen iPhone, wipe the device, and resell it. As a result, iPhone thieves often subcontract the theft of those credentials to third-party iCloud phishing services. This story is about one of those services..."
This discussion has been archived. No new comments can be posted.

Inside a Phishing Gang That Targets Victims of iPhone Theft

Comments Filter:
  • steal the gun, erase the serial number, etc.
    • steal the gun, erase the serial number, etc.

      It's a *lot* harder to "erase" a serial number from a gun than you might imagine. Even if you grind away enough metal so you can't see it, various imaging techniques can still detect it. Acid-etching, electron backscatter diffraction, and magneto-optical detection can all "see" serial numbers that appear to have been obliterated.

      Want to destroy a gun's serial number? Melt it down into a puddle of metal.

  • by supernova87a ( 532540 ) <kepler1@h o t m ail.com> on Wednesday March 15, 2017 @06:49PM (#54047327)
    Read through the full article - that is some seriously impressive detective work to follow through and find the people behind the phishing portal!
  • ...is if they have a stolen iPhone how do they know whom to text to try and phish the credentials? If the phone's locked it's not like they have access to the owner's information, nor to the MEI. What am I missing?

    • Maybe it goes like this?

      Learn someone's Apple ID.
      Compromise account.
      Locate the device.
      ???????
      Profit.
    • The IMEI is printed on the back of the phone.
    • ...is if they have a stolen iPhone how do they know whom to text to try and phish the credentials? If the phone's locked it's not like they have access to the owner's information, nor to the MEI. What am I missing?

      If you do a factory reset of the device it'll try and force you to log into the iCloud account that has locked the device before you activate it. It's been a while since I've done this, but if I remember correctly, I think it actually puts up the email address and just asks for the password.

  • You see?! (Score:1, Informative)

    by jennatalia ( 2684459 )
    This is why you don't buy an iPhone.

A list is only as strong as its weakest link. -- Don Knuth

Working...