Beware of Apple ID Phishing For Lost iPhones

Since iOS 7, iOS devices added the Activation Lock feature to discourage theft. It requires iPhone owners to enter their Apple ID logins once their phones get formatted. Without the logins, the formatted iPhones will not boot into the Home Screen. This feature can be enabled by activating Find My iPhone in the iPhone settings.

Recently a friend got her iPhone stolen. Using the Find My iPhone feature, she logged into iCloud and put the phone in Lost Mode. She provided a contact number and a message to be displayed on her lost device in case people would return it. A few days later, she received the following text message on her contact phone.

Phishing Text Message
Phishing text message sent to the contact number of the lost iPhone

The text message offers her a glimpse of hope by promising the location of the lost iPhone. When she opens the provided URL, instead of a website showing the device's location, a website identical to Apple's login page gets shown. For the tech-savy, the site screams of a phishing attack. For my friend and others without a technical background, the website looks legitimate. They will be easily tricked into giving up their logins.

Phishing Website
Apple ID phishing website

If the users enter their Apple ID login, thinking they can view the lost phone's location, the information would get recorded in plaintext by the phishing website. With the devices' associated Apple ID logins, the thief can disable Activation Lock and reuse the iPhone.

Note that the attack is directed at the owner. The phishing text message must have came from the thief, as he is the only one that have the lost contact number. The phishing URL in the message can be tagged with a unique ID tying the device, contact number, and logins the owner enters into the phishing website. With this tie, the thief does not need to guess which stolen login unlocks which stolen iPhone.

Providing a contact number for a lost iPhone can be a good idea if people are honest. If the other party is malevolent, the contact number can be used to trick the owners into giving out their Apple IDs. As a rule of thumb, always be careful when entering sensitive information into websites. If the website is not SSL protected (nowadays all modern browsers show a green lock icon on the address bar to indicate SSL authenticity) don't enter your information. If you have never seen the domain of the website, don't enter your information. Be vigilant with whom you're giving your information.