PSA: Be alert and aware when using your phones. I had my iPhone X literally snatched out of my hand in a nice part of San Francisco (Lower Haight) two blocks from my house. Same thing happened to @PranavDixit () and nearly happened to @miekd last week.
iPhone theft was growing in SF (and elsewhere) until Apple made it more difficult to use stolen devices by adding Activation Lock (AL) in iOS 7. AL forces you to sign in with your iCloud account (even on reformatted devices) to disable Find My iPhone before the device is usable
For the most part, AL works great and led to a significant reduction in iPhone theft since the difficulty and therefore the cost to the thief went up considerably. Making nefarious acts economically unfeasible is one of the best ways to reduce them. This changed recently.
A few days after my phone was snatched, I received an SMS letting me know that my baby, my silver iPhone X had been found! 
This seemed too good to be true, but I eagerly tapped through to the page and saw this
Ruh roh... definitely a fake. The awkward fonts gave it away a mile before I looked at the URL (which was icloud-server.us). This was clearly a phishing attempt to gain access to my iCloud credentials for unbricking my stolen iPhone X.
I ran a whois on the address, just wondering what would come up and bam! I hit paydirt. Or at least, dirt.
Googling the email turned up a number of other suspicious domains owned by Andres Andrade - all featuring slight variations on the faux Apple support theme.
Searching for him on Facebook also yielded two mysterious profiles in San Francisco... which seemed at least vaguely plausible
"Gotcha!", I thought, feeling very Famous Five/Sherlock Holmesish. I immediately filed a police report with the SFPD and sent a detailed email to the promisingly named reportphishing@apple.com address. Another day, another nefarious criminal scheme thwarted. Case closed.
And then the SMSes starting coming. A LOT MORE. And they were... weirdly better. The copy was ever so slightly tweaked to give me twinges of hope every time I received a new message. The sites stole all the CSS and JS. These guys had definitely upped their game rapidly.
They still needed a bit of help with mobile stylesheets tho
Unfortunately, the forms, well, the forms still all linked to that trusty old "save.php" endpoint beloved by script kiddies everywhere.
That said, the www version of the site is pretty much pitch perfect. It matches Apple's style down to a tee.
The first set of domains I encountered seem to have been mostly shut down (by Apple or their hired muscle presumably) but iPhone phishing-as-a-service (PaaS?) seems to have recently hit a new growth surge. So in conclusion...
1. Be aware of your surroundings! Phones are so engaging that you can easily lose track of everything happening around you.
2. Use two factor authentication on everything. Turn on 2FA for your Apple ID now. support.apple.com/en-us/HT204915
2. Use two factor authentication on everything. Turn on 2FA for your Apple ID now. support.apple.com/en-us/HT204915
3. Guard your passwords. Don't enter your Apple credentials into anything that doesn't have a standard, trusted Apple URL.
4. Help your less technically savvy friends and family realize that random sites can't magically return your stolen iPhones to you.
</PSA> Stay safe!
4. Help your less technically savvy friends and family realize that random sites can't magically return your stolen iPhones to you.
</PSA> Stay safe!
