Attacks/Breaches
12/12/2013
03:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Security Expert Unmasks His Scammer

How a security expert turned the tables on a fraudster trying to '0wn' his pilfered iPhone

A young iPhone scammer in Ireland had no clue who he was dealing with when he tried to shake down the owner of a stolen iPhone 5 he had acquired after it was snatched from the owner's coat pocket in a Dublin pub.

Turns out the iPhone belonged to security expert Ralph Logan, who was visiting Dublin in September on business and had been out for a pint or two one evening with a friend who was there as part of the roadie crew for former Pink Floyd band member Roger Waters' "The Wall" tour. Logan didn't realize his smartphone was missing until he and his fellow revelers were settled in at a second pub that night.

Logan's iPhone was locked with "Find My iPhone" enabled, so he messaged the phone with his name and hotel information in hopes someone had found it and would return it. "I didn't get any response," says Logan, who is a partner at Logan Haile. When he returned home to the States, he purchased a new iPhone 5S and "moved on."

But on Nov. 13, he received a message via Twitter from "Lee Cork," asking whether Logan had recently lost an iPhone 5 in Ireland. Logan confirmed that he lost his phone with a gray and orange case in Dublin, and gave Cork his Gmail address. (Cork had gleaned Logan's email from the stolen iPhone.)

Cork sent Logan this email message:

Lee Cork

Nov 13

Hi Ralph, My name Lee and I work for a company in Belfast which specialise in mobile technician repairs replace etc. A few days ago a guy came in with what is believed to be your phone to get it unlocked or used as parts but upon opening the phone up we came across your name and have be trying to track you down. I would like to return the phone to you but I need to take verification steps can you please forward on the following information:
1- Apple ID and Password
2- A list of 5 contacts numbers you would have used prior to the phone been lost.
3- Your Full name, phone number and Full address.

Lee Cork, RTP General Manager

That's how "Lee" gave himself away as a scammer: The iPhone 5 required Logan's Apple ID and passcode to reinstall the iOS, a feature that prevents thieves from wiping and using stolen phones as their own, so Lee was obviously neither a Good Samaritan nor a sophisticated scammer. Logan then decided it was time to root out the scammer who had his iPhone. "As soon as I got that email, I launched my black-box investigation," he says.

Logan declined to share details of his investigation on the record, but said he was able to dig up some key information on Lee, including his real name -- Martin -- his real email address, his girlfriend's name, and his brother's name. After "Lee" emailed him again for the iPhone credentials and information, Logan responded with an email sent to both Martin's scammer and real email addresses.

The email, said, in part:

Nov 29, 2013

Martin,

Firstly, you can drop the idiotic pretense of being Lee Cork in Belfast. You are Martin XXXXXX in Dublin. Secondly, I know you acquired my stolen phone as I've been investigating you for weeks now. The bad news for you is worse than just being out of pocket some money. The bad news is that you acquired stolen property that is owned by a very capable and determined professional security investigator. It's what I do for a living. I currently have enough evidence to roll up and remand you into custody anytime I want. However I've taken this a bit personally and don't want to involve the Irish local authorities just yet.

Logan then dropped the first names of Martin's girlfriend, brother, and mother in the message, and gave him an ultimatum:

Here's what I've decided to do. I'm literally giving you until Wednesday, December 4th to take my phone and drop it with the receptionist at XXXXXX at the following address: xxxxxxxx, Dublin 2

You can tell the receptionist any story you like, but have her label the phone for XXXXXX. XXXXXX is the head of security at that location, who I happened to be visiting while in Dublin. He'll get it back to me.

The phone was delivered, undamaged, to Logan's colleague's office in Dublin on Dec. 3. "I had him drop it off at a neutral site in Dublin," he says. Turns out Martin had paid 300 euros to someone else who had either stolen or purchased the stolen phone.

Logan says the other method he had planned to use to name and shame the scammer was an email that could have traced his source IP address. "I would send him an HTML email with a link to an embedded one-pixel image that would GET from my Web server, which would reveal his source IP address," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web