Profile picture
Michael Sharon @deprimer
, 17 tweets, 5 min read Read on Twitter
PSA: Be alert and aware when using your phones. I had my iPhone X literally snatched out of my hand in a nice part of San Francisco (Lower Haight) two blocks from my house. Same thing happened to @PranavDixit () and nearly happened to @miekd last week.
iPhone theft was growing in SF (and elsewhere) until Apple made it more difficult to use stolen devices by adding Activation Lock (AL) in iOS 7. AL forces you to sign in with your iCloud account (even on reformatted devices) to disable Find My iPhone before the device is usable
For the most part, AL works great and led to a significant reduction in iPhone theft since the difficulty and therefore the cost to the thief went up considerably. Making nefarious acts economically unfeasible is one of the best ways to reduce them. This changed recently.
A few days after my phone was snatched, I received an SMS letting me know that my baby, my silver iPhone X had been found!
This seemed too good to be true, but I eagerly tapped through to the page and saw this
Ruh roh... definitely a fake. The awkward fonts gave it away a mile before I looked at the URL (which was icloud-server.us). This was clearly a phishing attempt to gain access to my iCloud credentials for unbricking my stolen iPhone X.
I ran a whois on the address, just wondering what would come up and bam! I hit paydirt. Or at least, dirt.
Googling the email turned up a number of other suspicious domains owned by Andres Andrade - all featuring slight variations on the faux Apple support theme.
Searching for him on Facebook also yielded two mysterious profiles in San Francisco... which seemed at least vaguely plausible
"Gotcha!", I thought, feeling very Famous Five/Sherlock Holmesish. I immediately filed a police report with the SFPD and sent a detailed email to the promisingly named reportphishing@apple.com address. Another day, another nefarious criminal scheme thwarted. Case closed.
And then the SMSes starting coming. A LOT MORE. And they were... weirdly better. The copy was ever so slightly tweaked to give me twinges of hope every time I received a new message. The sites stole all the CSS and JS. These guys had definitely upped their game rapidly.
They still needed a bit of help with mobile stylesheets tho
Unfortunately, the forms, well, the forms still all linked to that trusty old "save.php" endpoint beloved by script kiddies everywhere.
That said, the www version of the site is pretty much pitch perfect. It matches Apple's style down to a tee.
The first set of domains I encountered seem to have been mostly shut down (by Apple or their hired muscle presumably) but iPhone phishing-as-a-service (PaaS?) seems to have recently hit a new growth surge. So in conclusion...
1. Be aware of your surroundings! Phones are so engaging that you can easily lose track of everything happening around you.

2. Use two factor authentication on everything. Turn on 2FA for your Apple ID now. support.apple.com/en-us/HT204915
3. Guard your passwords. Don't enter your Apple credentials into anything that doesn't have a standard, trusted Apple URL.

4. Help your less technically savvy friends and family realize that random sites can't magically return your stolen iPhones to you.

</PSA> Stay safe!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Michael Sharon
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!