ESET alert on a new trap with the message “Your iPhone has been located”

ESET’s Research Lab analyzes the case of phishing that arrives through an SMS message to victims of theft of their iPhone, in order to obtain their credentials iCloud and unlock key.

ESET, a leader in proactive threat detection, warns victims of stealing their iPhone, about sending phishing through SMS messages, where the scammer is impersonating a trusted entity to obtain confidential information and try to steal the iCloud credentials and the device unlocking key.

The deception occurs in a post-theft stage of the victim’s phone, who after activating a new device, receives SMS messages where he is informed about the alleged location of his iPhone. Just as shown in the following image

In case the user falls into the deception, access to a fraudulent site that simulates being the official website of the company, where they ask you to enter your user credentials. The domain that appears in the URL does not correspond to an official site, despite the similar aspect and to use known words to give truthfulness to the deception and thus to achieve that the victim falls into the trap.

“The victim of stealing his iPhone fell into the trap and so he had to get to the lab of ESET the message for analysis. We had to change the last characters of the link to reach the active site, which shows that personalized links are sent to the victims of the theft of their devices, looking for a greater follow-up of each potential victim. “, said Camilo Gutierrez, Chief of the Research Laboratory of ESET Latin America.

The only objective of the page is to steal the credentials, because, when entering any information, the site does not validate if the credentials entered are correct, but also urges the user to incorporate the unlock key of the cell phone.

Once the credentials of iCloud and the unlock key of the cell phone are entered (situation that leads to the victim of this case to realize that it was a phishing), the page addresses a location in Google Maps.

In Addition, the revised URLS bridle hints of intent to be used for Social Engineering-type hoaxes. Both pages on their top level do not show any active sites, except when accessed through full links with subdomains. In Addition, when analyzing the IP address of the server, it was noted that two other sites were hosted in this address (now offline), which were created to perform phishing campaigns.

From the ESET Research Lab, we recommend that you avoid clicking on links that we receive without first verifying your source, its veracity and verifying that it is from an official site, as well as in the phishing messages that arrive by email.

“In This case, the victim of the theft of the iPhone should have accessed directly to the site of iCloud and make the necessary steps to use the search service of the mobile device. In this way, you could have corroborated, or not, if your device was active and locatable somewhere,” Gutierrez commented.”Cybercriminals continually seek to improve their practices and adapt them to the advancement of technology and device security options. It Is important to denounce these facts, both the theft of the device and the personal data when you are a victim of phishing. “