Phishing sites are provided in several languages

Mar 3, 2015 14:22 GMT  ·  By

People who lost or had their iPad or iPhone stolen receive fraudulent messages claiming that their device has been found and pointing them to a phishing site designed to capture the credentials for their iCloud storage account.

The phishing pages have been set up in different languages, covering English, Spanish, Italian, French, German, Portuguese, Chinese, Russian, Vietnamese, and Indonesian, security researchers say.

If Lost Mode is active, the device is useless to the crooks

It appears that the cybercriminals are trying to take advantage of the Find My iPhone service provided by Apple, which allows users to track their device through a feature called “Lost Mode.”

Enabling this functionality offers the owner of the device the possibility to leave a message on the lock screen. Most of the times, a phone number is left for the finder of the gadget to call, in order to return the lost item to its proprietor.

Lost Mode is a security feature that locks the device until a passcode defined upon enabling it is provided. Alternatively, it can be disabled from the iCloud account.

Details on locked screen used to contact victims

Security researchers from Symantec allege that the cybercriminal campaign is run based on a service for iOS devices provided on underground forums.

They discovered that the crooks use any detail they find displayed on the locked screen. If both a phone number and an email address are available, they would be able to concoct a more credible message.

A sample of the text received by the victims, as provided by Symantec, reads, “Apple Inc. Your iPad Air 3G 64GB Space Gray linked to [email address found on the screen] has been located today at 19:00 PDT. See location: [link to phishing website].”

The fraudulent page mimics the real location for logging into the iCloud account, and the only visible clue of being a fake one is the URL address. Apart from the fact that Apple offers a secure connection, marked by the HTTPS green lockpad, there is also the link itself, which is not “https://www.icloud.com/.”

Users should be aware that disabling the “Lost Mode” is the only way crooks can monetize the stolen iOS devices; careful inspection of the URL received via an unsolicited message and logging into the iCloud account by typing the address manually would help them not become a victim a second time.

iCloud phishing (2 Images)

Phishing page for iCloud log-in
Sample message sent to a victim of an iPad theft
Open gallery