Phishing for my Apple ID and Password

Posted on:

Last December my wife had the unfortunate luck of losing her iPhone 6 in the Charles De Gaulle Airport in Paris. She had last used the iPhone on the plane, and first noticed it was missing a few minutes after going through customs and receiving our baggage. Despite an hour or two of working with security, airline personnel, and retracing our steps, the iPhone remained missing. Had she left it on the plane? Been pick-pocketed at baggage claim? We played out each theory in our minds for the remainder of our trip but ultimately came to one conclusion, it was just lost.

Being the tech savvy consumers that we are, we immediately jumped on iCloud as soon as we arrived at our hotel, and put the phone in lost mode. She had the iPhone password protected and logging into her iCloud account allowed us to display a “lost” message on the iPhone and use her Apple ID to report the device as missing. We knew that even if someone found the phone, they wouldn’t be able to use it. They’d have to restore the phone to bypass her password, and once it was restored it couldn’t be activated without her apple id and password. We just hoped a Good Samaritan would find it, see our “lost” message, and get in touch with us to return the device.

Upon returning home from our trip, there was still no sign of the device. We checked the “Find my iPhone” app in a daily basis, hoping the phone would magically pop online and share its location with us. After a week or two of no luck and the two of us using my iPhone as our “family phone”, we broke down and bought her a new phone, and eventually moved on.

The lost iPhone was nothing but a cautionary tale of keeping your belongings close at airports, until I received a text this morning. The text claimed to be from Apple, and told me the missing iPhone had been used a few minutes ago and that I could login online at [URL REMOVED] to track it. The message came from a random phone number with a 206 area code, and instantly raised my suspicions. I couldn’t tell you what number I’d expect a text from Apple to come from, but it wouldn’t be such a plain 10 digit number. What the message lacked in phone number flash though, it made up for with its accurate data about our lost device.

iCloud Apple ID and Password Phishing Text Message
Text message from “Apple”

The text correctly identified that we had a missing iPhone 6. It also correctly stated that the iPhone was linked with an apple id in the format: “p***?m**.edu”. If I assumed the ? was supposed to be an “@” symbol (maybe caused by an SMS formatting issue), then it fit her actual apple ID perfectly. P***@m**.edu is her apple id format. Even the website they used made sense. We lost the iPhone in Paris, so if it came online why wouldn’t it send us a message from a .eu website? And since my phone number was associated with her iCloud account, of course I’d get the text.

I was still suspicious, but it was hard to ignore the amount of specific information they had about our lost device. So I did what any knowledgeable tech guy would do. I googled it. I tried searching for the phone number, to see if it had been flagged online as a fake number. I got nothing. I tried searching for other stories of people that received similar messages about their lost iPhone. I got nothing. I couldn’t find one shred of information that someone else had noticed the same scam. I came to the conclusion that it was either a legitimate message from Apple, or it was a brand new scam that no one was talking about yet.

Eventually curiosity got the best of me, and I clicked on the link. I knew just how easily I could get a virus from following an unsafe link, but I had to know if this was a legitimate email. After snooping around the website for a few minutes, it was clear the link was a fake. It lacked an “https” domain, which all major companies would use to verify the identity of their site. And while it looked like a real Apple site, none of the links on the page worked. Clicking the menu links at the top of the page simply refreshed the site, and the text on the left side of the page cut off mid-sentence. Apple wouldn’t be so careless.

Fake apple website 2
Fake iCloud Website

It was clear now that I had been baited. Whoever was on the other side of that text message had built the fake website to try and get my apple id and password. The fake text employed a common technique to get my login data know as phishing. But what wasn’t common was the amount of data they had from me already. How did they know my wife had lost her iPhone 6? And how did they know the apple id associated with that phone? And how did they know to text me about it?

I came up with two solutions. The first was that the hacker that built this website and sent me the fake text message had actually been the one that physically had her missing iPhone. The message that we displayed on the lost iPhone would allow them to realize the device was missing, and see the obscured version of her apple id that I was sent. But what are the chances that my wife’s missing phone just happened to end up in the hands of a hacker sophisticated enough to pull off this deception? I figured this had to be unlikely.

The only other alternative was that our iCloud data had been hacked. Besides the person on the other side of our missing phone, only Apple could link her apple id, my phone number, and her missing device information. I knew iCloud had been hacked pretty publicly back in 2014, but there were no new reports of a hack that would have leaked my wife’s information. Was my iCloud data stolen in a previous hack or has Apple been breached yet again and I’m just the first one talking about it?

Unfortunately I still don’t have a good answer. And even though I had no reason to believe my wife’s apple id password had been compromised, we decided to reset it anyway, just to be on the safe side. But are we a few days away from hearing about a new Apple iCloud data breach? Or is there another explanation for the disconcerting text message I received?

The only thing I know for sure is to keep trusting my gut when I get suspicious. Online phishing is on the rise, and identity theft and fraudulent credit card charges are things that I’d really like to avoid.

-Matt Ham, Owner of Computer Repair Doctor