Fraudsters are using iCloud phishing to steal iOS devices

How to use Face ID on the iPhone X
How to use Face ID on the iPhone X (Image credit: iMore)

Mobile security company TrendMicro (opens in new tab)'s research team published a blog post (opens in new tab) last week detailing findings they've uncovered regarding the theft of iOS devices. In their investigation, they found an alarming intersection of physical crimes and online scams: fraudsters are using phishing techniques to unlock the iPhones they've stolen.

According to TrendMicro, this is a worldwide phenomenon, with individuals from Ireland and the U.K. to India, Argentina, and the U.S. being targeted. The global market for stolen iPhones is vast and, as the company notes, profitable:

Last year, stolen iPhones were sold in Eastern European countries for as much as $2,100. In the U.S. 23,000 iPhones from the Miami International Airport, valued at $6.7 million, were stolen last year.

Essentially, once an iPhone is stolen, the thieves will spoof an email or SMS text that looks as though it's from Apple to send to the victim saying that their phone has been found and asking them to click a link to move forward in the retrieval process. However, once the victim clicks that link, it compromises their iCloud credentials, which subcontracted third-party iCloud phishing services will then use to unlock the device. These phishers use tools such as MagicApp, Applekit, and Find My iPhone to complete this task. When it's all finished, the device is resold in "underground and gray markets."

So, knowing all this, how do you keep your device safe? TrendMicro advises the following:

  • First and foremost, use common sense. If a link seems even remotely suspicious, don't click it or input any personal information. It's better to wait a little longer for your missing phone and verify that it is actually Apple contacting you than to jump on a fishy email just because you're eager to retrieve your device.
  • Use best practices when it comes to securing your tech. That means setting up fingerprint scanning or Face ID, setting a passcode, enabling two-factor authentication on your iCloud account, and setting up or enabling any other security features, i.e., Find My iPhone and auto-locking.
  • Regularly back up your phone so that if the worst happens, you won't lose everything.
  • Report the device's loss or theft to your carrier to deter fraudsters from reusing it.
  • Do your research when purchasing a phone secondhand. The Cellular Telecommunications Industry Association (CTIA) has a website where you can check if an iPhone has been blacklisted or stolen by verifying the phone's serial number.

For more information, check out TrendMicro's original blog post (opens in new tab).

Questions?

We're happy to answer any further questions you may have regarding iPhone security. Give us a shout in the comments, and we'll get back to you as soon as we can.

Tory Foulk is a writer at Mobile Nations. She lives at the intersection of technology and sorcery and enjoys radio, bees, and houses in small towns. When she isn't working on articles, you'll likely find her listening to her favorite podcasts in a carefully curated blanket nest. You can follow her on Twitter at @tsfoulk.

5 Comments
  • If Apple have all information about parts used to build my phone (serial numbers by imei) just block any phone which use these parts.
    Sorry mate, you supply spares from thieves and this ain’t going to work.
    Similar like they did with fingerprint sensors.
    Simple. But wait, they will loose some sheeps from herd and it is not good for the business, right?
    Thieves make new sheep selling stolen phone, old sheep will buy another iPhone anyway, that’s how it’s roll.
    Sorry but anyone seen blocked phone by imei? No, they been sold abroad, not in country they been stolen and reported or been sold for parts.
    Robbed Apple store in London? Make those phones and tablets useless! Stop the crime!
  • @jsanakonda is exactly right. Phished iCloud credentials are just a very small percentage of the stolen iPhone market. If Apple wanted to block these phones or more likely the individual parts, they could. They don’t want to because people that use stolen phones still pay for iCloud, Apple Music, buy movies and buy apps from the App Store. The victims of these crimes will just pay Apple for a new iphone. It’s a win win for Apple.
  • Eh... What if someone fakes my info, and calls Apple to say the phone needs to be locked? What if I lock it, and someone calls Apple saying they're me and gives enough info to unlock it (if there's an undo process)? What if someone sells me an unlocked phone, then decides to be an a** h*** and have Apple then lock it? The iCloud thing is best imho. Apple can't unlock it without a valid death certificate, and even then, they don't give data. My concern is, how in the world are they able to get that info from just clicking a link? That implies to me that more or less any site can get that if it's auto-saved as a session cookie. Are we assuming everyone links iCloud bookmarks/sessions from Safari? Edit: Yes, if the phones were stolen from Apple, I'd think that blocking the phones could be ok as Apple can verify the legitimacy, but not to someone calling in.
  • "However, once the victim clicks that link, it compromises their iCloud credentials, which subcontracted third-party iCloud phishing services will then use to unlock the device." How are they getting my info from me just tapping a link? Couldn't they just as easily spoof a friend's number, and send me a link my friend may send me? What if my friend isn't really my friend, and sends me a link? How are they getting my info from tapping a link and when will Apple fix this? Or, is this a TrendMicro sponsored post, that is meant to be scary?
  • They can't get your info by just tapping a link, it'd require you to enter it somewhere. Given the title mentions phishing, it's most likely a webpage that looks like the Apple one, asking you to login. Once you have entered your login details, then your information is stolen. Also worth noting that even if you fell for this scam, you'd still be safe if you have 2FA enabled