Stolen iPhone

[R13...]

The phishing link is to obtain your account details so they can unlock the phone. Don't fall for it. In most cases they just use the phone for spare parts when they can't unlock it. It is near impossible to unlock without your details.

 

[namzsteve]

It's actually gone. I wouldn't bother with the smses coming from "Standard Bank"

Maybe just some advice to anyone, one thing I find that helps is a really good passcode, a really difficult one to guess, go crazy if you have to. Never reply to any sms claiming the phone has been found wherever.
Make sure the Control Centre is not accessed from the lock screen or once the phone is locked, my previous iPhone had that on, when it was stolen I'm pretty sure the thief had a tough time getting into the phone. No matter what make sure your data is always on, always, that's some security. They'll never unlock it without your details.

 

[airborne]

The phishing link is to obtain your account details so they can unlock the phone. Don't fall for it. In most cases they just use the phone for spare parts when they can't unlock it. It is near impossible to unlock without your details.

Yup, they are phishing to try get the icloud unlock details.

It's interesting how sophisticated whoever has the op's phone is, that's quite an advanced level of targeted phishing.

 

[Polly101]

It's actually gone. I wouldn't bother with the smses coming from "Standard Bank"

Maybe just some advice to anyone, one thing I find that helps is a really good passcode, a really difficult one to guess, go crazy if you have to. Never reply to any sms claiming the phone has been found wherever.
Make sure the Control Centre is not accessed from the lock screen or once the phone is locked, my previous iPhone had that on, when it was stolen I'm pretty sure the thief had a tough time getting into the phone. No matter what make sure your data is always on, always, that's some security. They'll never unlock it without your details.

thank you - good tip

I have done this now

 

[Apogee]

A friend's iPhone X was stolen yesterday from his gym locker.

We immediately set iCloud to activate the 'Lost Phone' function to lock it when it comes back online, as the phone was turned off. The option was also selected to notify us if the phone was located.

A short while later, he received an sms on his wife's phone stating that the phone was located, containing a URL:

https://apple.com.location-apps.top/?idmsa=005

This URL redirectes to the authentic iCloud website.

If this was a phishing attempt by the culprits, how could that help them?

 

[epah]

A friend's iPhone X was stolen yesterday from his gym locker.

We immediately set iCloud to activate the 'Lost Phone' function to lock it when it comes back online, as the phone was turned off. The option was also selected to notify us if the phone was located.

A short while later, he received an sms on his wife's phone stating that the phone was located, containing a URL:

https://apple.com.location-apps.top/?idmsa=005

This URL redirectes to the authentic iCloud website.

If this was a phishing attempt by the culprits, how could that help them?

They will access to the phone since you will type in your iCloud passwords etc. they can then delete your profile and restore the whole phone as if it’s brand new.

 

[Apogee]

They will access to the phone since you will type in your iCloud passwords etc. they can then delete your profile and restore the whole phone as if it’s brand new.

How can they have access If we never turned off the Lost Phone function? Also, because it is the valid iCloud website and not a duplicate to intercept the login details, how can they access it?

The profile is still active, but we are waiting to get a new sim activated so that we can log into iCloud. 2FA was enabled.

 

[R13...]

How can they have access If we never turned off the Lost Phone function? Also, because it is the valid iCloud website and not a duplicate to intercept the login details, how can they access it?

The profile is still active, but we are waiting to get a new sim activated so that we can log into iCloud. 2FA was enabled.

If it is the real site then it is likely the location is legit. It would be nice if you can get a friendly cop or muscle to track and recover it (with a good beating on the thief as a bonus).

 

[PsyWulf]

A friend's iPhone X was stolen yesterday from his gym locker.

We immediately set iCloud to activate the 'Lost Phone' function to lock it when it comes back online, as the phone was turned off. The option was also selected to notify us if the phone was located.

A short while later, he received an sms on his wife's phone stating that the phone was located, containing a URL:

https://apple.com.location-apps.top/?idmsa=005

This URL redirectes to the authentic iCloud website.

If this was a phishing attempt by the culprits, how could that help them?

The original page is using a Letsencrypt free certificate,and the webserver is Apache,looks like a Ruby app server
It's likely looking for a Useragent or some other phone readable info,if it doesn't find it it'll redirect you via a 302 to icloud.com (or the functionality is disabled for now and it just does the 302 to be switched later)

But there's no good reason to host a webserver and custom code,just to bounce you elsewhere

 

[supersunbird]

A friend's iPhone X was stolen yesterday from his gym locker.

We immediately set iCloud to activate the 'Lost Phone' function to lock it when it comes back online, as the phone was turned off. The option was also selected to notify us if the phone was located.

A short while later, he received an sms on his wife's phone stating that the phone was located, containing a URL:

https://apple.com.location-apps.top/?idmsa=005

This URL redirectes to the authentic iCloud website.

If this was a phishing attempt by the culprits, how could that help them?

How do you know it is an "authentic iCloud website'? My work internet won't even allow access because it is a new web domain. Real icloud website works fine though. You are probably being fooled by a phishing site (which is exactly what they want so they can get the username and password to unlock the iPhone).

 

[PsyWulf]

How do you know it is an "authentic iCloud website'? My work internet won't even allow access because it is a new web domain. Real icloud website works fine though. You are probably being fooled by a phishing site.

View attachment 733465

The domain is 2 months old,but it does a 302 to icloud.com (see my previous post)

 

[Apogee]

Yes, turns out it was a phishing attempt, which the guy unfortunately fell for. Phone was removed from his account, but we were able to recover his iCloud account just fine and changed everything.

Be careful with this one, I have not seen it before and would have probably also fell for it if I was in a state of panic.

The URL redirects to the actual iCloud website. Still trying to understand why they did not just linked to it right from the start.

(See attachment.)

Also, the process of getting the lost phone lock cancelled when he logged into the actual iCloud website is still a bit of a puzzle.

There were only two minor red flags:

1.) The sms stating that the phone was located was sent to the owner's wife, and he could not remember if he ever linked her number as a backup phone in iCloud.

2.) The message correctly called him by his first and last name, as well as stating the correct iPhone model and storage amount, but specified the OS to be on 13.1.3. He just upgraded to 13.2 that same day.

 

[uzairb]

This is a old method which sophisticated syndicates are using. Happen to me a few years ago in jhb.
iPhone 6 was stolen from my wife at about midday. By early evening i recieved an sms (looked extremely legit) on my number which was the recovery number indicating the handset has been turned on and a link was provided to a duplicated (only realized later)iCould website.
The website looked identical to the original iCloud website while using my phone since i was travelling. Little did i realize the link had icloud.... something and .de or something to that effect.
Quickly after we typed in wifes iCloud details on this fake iCloud webpage they obviously phished the login credentials and removed the device from iCloud.
That was the end... phone gone without trace..
Reported it to iStore and Apple. After some time the website was taken down.

Be very careful, learnt the hard way. Now very weary with URLs..

 

[uzairb]

My experience was in mid 2015

 

[supersunbird]

The domain is 2 months old,but it does a 302 to icloud.com (see my previous post)

Maybe it's some sophisticated man in the middle attack method? Seeing that he was phished since the phone is now removed.

This is one reason I hate URL shorteners or other weird URLs.

 

[$m@Rt@$$]

Damn, I thought I was wake-up enough for this ****. But also, from my experience Apple sends you an email and not a SMS.

 

[Tim_vb]

Your contact details were probably passed by the thief to an iCloud phishing service probably based Eastern Europe or the like.

Send the SMSs and email to

[email protected] to make their lives a bit more difficult and give them somethine to do by entering in made up details ​

 

[R13...]

Your contact details were probably passed by the thief to an iCloud phishing service probably based Eastern Europe or the like.

Send the SMSs and email to
[email protected] to make their lives a bit more difficult and give them somethine to do by entering in made up details

That's probably a good way for checking if the site is a phishing scam or not. Because if it is it'll likely accept anything you type in (well they might check them email but they won't do the same with the password - and to validate the email they'd need unique url links to every person they phish).

 

[PsyWulf]

Maybe it's some sophisticated man in the middle attack method? Seeing that he was phished since the phone is now removed.

This is one reason I hate URL shorteners or other weird URLs.

Like I said earlier,it's probably running some custom code in apache(Ruby),likely checking for specific to iOS flags,then redirecting if it doesn't get a hit
They aren't SSL Bumping the old connection - their cert is valid as far as a custom site cert is valid

 

[supersunbird]

Like I said earlier,it's probably running some custom code in apache(Ruby),likely checking for specific to iOS flags,then redirecting if it doesn't get a hit
They aren't SSL Bumping the old connection - their cert is valid as far as a custom site cert is valid

None of what you said is "they're phising you bro", that is what one has to say to end users, you don't explain intricacies to them unless they ask.