Skip to content ↓ | Skip to navigation ↓

An iPhone phishing scam combines elements of physical theft and digital crime in an effort to steal victims’ Apple ID credentials.

According to Trend Micro senior threat researcher Fernando Mercês, it all started when someone stole his friend’s iPhone while they were walking around one of the big metropolitan areas in Brazil. The friend purchased a replacement device and activated it with the same phone number. Everything appeared normal aside from his Facebook password having changed.

Fortunately, Mercês’ friend had linked his Facebook account to his phone number, so he was able to recover access to his profile and change his password that way. Nothing out of the ordinary happened for the remainder of the day. But a day later, the friend received a mysterious phishing SMS message sent to their new iPhone.

SMS message with a link to a phishing page
SMS message with a link to a phishing page. (Source: Trend Micro)

The text, written in Portuguese, said the friend had lost their phone and someone had turned it on. It then asked the friend to view their device’s last location by following a provided link and logging into their Apple account. The only problem is that the linked sign-in page for Apple was a fake.

In the meantime, the friend checked the last location of their stolen iPhone and verified that it had last been turned on in the area where someone had stolen it.

Here’s what Mercês thinks happened:

“… it appears the modus operandi is to physically steal the victim’s phone (while in use, so they can still access the apps), uncover the device’s number, then try changing the password of installed social networking (and possibly email) apps—probably to extort the victim in the future—before turning the stolen device off as soon as possible. Attackers then try to grab the victim’s Apple ID credentials using a phishing page and a socially engineered SMS message pretending to be Apple.”

If the target takes the bait, the attackers can leverage the Apple ID credentials to wipe the iPhone and resell it. They can also sell the Apple ID username and password on the criminal underground.

To help protect against phishing attacks that blend physical theft with digital crime, iPhone users should do several things. First, they should take care to protect their devices against would-be thieves by never leaving their devices unattended in public settings. Second, they should consider reducing the time it takes their device to sleep in order to prevent unauthorized individuals from accessing their unlocked phone. Third, they should lock down their phones with a strong PIN code or biometric factor. Fourth, they should familiarize themselves with common phishing attacks and how to protect against them. And lastly, they should protect their Apple accounts with two-step verification (2SV), as doing so will prevent an attacker from authenticating victims even if they acquire their Apple ID credentials.