iphone_x
  • Scammers try to trick Apple users by claiming that their lost iPhone X has been found.
  • The included URL sends the victim to a phishing domain where they enter their iCloud credentials.
  • The server hosting the multiple phishing domains is based in Russia and uses common spoofing methods.

There’s a new Apple-themed phishing campaign out there that seems to be doing the trick just fine for the scammers. According to the reports, people are receiving text messages (SMS) which state that their “lost iPhone X 64GB Space Grey” has been found, and includes a URL that supposedly opens a map showing the exact location. The key element here is that the message is signed by “Apple Support”, the recipient is addressed by their real name, and the URL tries to deliver some legitimacy too as it’s “maps-icloud[.]com”.

findmyphish
Source: Krebs on Security

Krebs did some digging on these reports and found that the phishing domain is hosted on a Russian server that also hosts several other subdomains that are meant to be used in similar campaigns. Examples include:

  • apple.com-support[.]id
  • apple.com-findlocation[.]id
  • apple.com-sign[.]in
  • apple.com-isupport[.]in
  • icloud.com-site-log[.]in

If you have received an SMS or email pointing to any of the above domains, you may disregard the message. All of these domains used the “certified” “https://” and start with a legitimate word like “Apple” or “iCloud”. However, their true destination is “support.id”, “sign.in”, “findlocation.id”, etc. Thus, you can get the idea of why these phishing domains work pretty great for the actors.

Of course, the vast majority of the recipients of these messages have not lost an “iPhone X 64GB”, nor have they initiated a “Find My” process with Apple. Still, receiving this message with their name and a promise for a cool new device that is worth many hundreds of dollars makes them believe that somehow, luck has smiled upon them. As always, this is never the case in reality, and you should avoid clicking on any URL that is sent to you via SMS or email. If you’re still curious, just visit the real Apple Support or iCloud login page and check for any incoming messages.

Domain spoofing actors will never stop trying, and as long as there are gullible people who will bite the hook, these campaigns will continue. Especially for Apple device owners, they are the most targeted category out there, so if you belong in this category beware. Apple users usually have a loaded bank account, are generally spending more on apps and services compared to Android users, and are less likely to suspect something when they receive a message that claims to come from their favorite tech manufacturer. Apple is the most impersonated brand out there, followed by Yahoo, PayPal, and Dropbox.