Symantec reports a new phishing scam targeting iPhone and iPad users who’ve lost their devices.
iOS’ Find My iPhone feature includes Lost Mode, which enables users to lock a lost device remotely and display a message on the lock screen telling anyone who finds it how to contact its owner.
Until Lost Mode is disabled – either by entering the passcode on the device or by logging into the owner’s iCloud account – the device remains locked and useless. So far, so helpful.
While Lost Mode enables users to track down their lost iPhones and iPads, it has another application: if the device has been stolen, it gives the thief an opportunity to bypass its security by contacting its owner and fooling them into handing over their iCloud credentials.
Several users have reported receiving messages informing them that their lost devices had been located, and encouraging them to click a link to recover them. Instead of taking them to the iCloud login page, however, the links directed them to a cloned phishing site, created with the aim of harvesting iCloud credentials for criminal use.
Once they have the relevant iCloud login details, criminals can unlock the phones and gain access to a huge amount of information and resources, including email accounts, e-commerce accounts, contacts and documents. For organisations that support BYOD (bring your own device), sensitive corporate information is also at risk.
This scam appears to be a global effort: websites mimicking the legitimate iCloud login page have been set up in ten languages (Chinese, English, French, German, Indonesian, Italian, Portuguese, Russian, Spanish and Vietnamese). Because of the scale of the operation, the chances are that the phishing scam is operating as a service for criminals who want to unlock devices they’ve stolen.
Recognising a phishing scam
These phishing sites are good copies of the legitimate iCloud login page, as you can see above. The best giveaway is the URL. Organisations that support BYOD should ensure that their staff are properly trained to recognise phishing scams, and exercise caution when clicking links in unsolicited messages.
IT Governance’s Employee Phishing Vulnerability Assessment will identify potential vulnerabilities among your employees and provide recommendations to improve your security, enabling you to have a broad understanding of how you are at risk, and what you need to do to address these risks.