Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:27 PM
Connect Directly

Security Expert Unmasks His Scammer

How a security expert turned the tables on a fraudster trying to '0wn' his pilfered iPhone

A young iPhone scammer in Ireland had no clue who he was dealing with when he tried to shake down the owner of a stolen iPhone 5 he had acquired after it was snatched from the owner's coat pocket in a Dublin pub.

Turns out the iPhone belonged to security expert Ralph Logan, who was visiting Dublin in September on business and had been out for a pint or two one evening with a friend who was there as part of the roadie crew for former Pink Floyd band member Roger Waters' "The Wall" tour. Logan didn't realize his smartphone was missing until he and his fellow revelers were settled in at a second pub that night.

Logan's iPhone was locked with "Find My iPhone" enabled, so he messaged the phone with his name and hotel information in hopes someone had found it and would return it. "I didn't get any response," says Logan, who is a partner at Logan Haile. When he returned home to the States, he purchased a new iPhone 5S and "moved on."

But on Nov. 13, he received a message via Twitter from "Lee Cork," asking whether Logan had recently lost an iPhone 5 in Ireland. Logan confirmed that he lost his phone with a gray and orange case in Dublin, and gave Cork his Gmail address. (Cork had gleaned Logan's email from the stolen iPhone.)

Cork sent Logan this email message:

Lee Cork

Nov 13

Hi Ralph, My name Lee and I work for a company in Belfast which specialise in mobile technician repairs replace etc. A few days ago a guy came in with what is believed to be your phone to get it unlocked or used as parts but upon opening the phone up we came across your name and have be trying to track you down. I would like to return the phone to you but I need to take verification steps can you please forward on the following information:
1- Apple ID and Password
2- A list of 5 contacts numbers you would have used prior to the phone been lost.
3- Your Full name, phone number and Full address.

Lee Cork, RTP General Manager

That's how "Lee" gave himself away as a scammer: The iPhone 5 required Logan's Apple ID and passcode to reinstall the iOS, a feature that prevents thieves from wiping and using stolen phones as their own, so Lee was obviously neither a Good Samaritan nor a sophisticated scammer. Logan then decided it was time to root out the scammer who had his iPhone. "As soon as I got that email, I launched my black-box investigation," he says.

Logan declined to share details of his investigation on the record, but said he was able to dig up some key information on Lee, including his real name -- Martin -- his real email address, his girlfriend's name, and his brother's name. After "Lee" emailed him again for the iPhone credentials and information, Logan responded with an email sent to both Martin's scammer and real email addresses.

The email, said, in part:

Nov 29, 2013


Firstly, you can drop the idiotic pretense of being Lee Cork in Belfast. You are Martin XXXXXX in Dublin. Secondly, I know you acquired my stolen phone as I've been investigating you for weeks now. The bad news for you is worse than just being out of pocket some money. The bad news is that you acquired stolen property that is owned by a very capable and determined professional security investigator. It's what I do for a living. I currently have enough evidence to roll up and remand you into custody anytime I want. However I've taken this a bit personally and don't want to involve the Irish local authorities just yet.

Logan then dropped the first names of Martin's girlfriend, brother, and mother in the message, and gave him an ultimatum:

Here's what I've decided to do. I'm literally giving you until Wednesday, December 4th to take my phone and drop it with the receptionist at XXXXXX at the following address: xxxxxxxx, Dublin 2

You can tell the receptionist any story you like, but have her label the phone for XXXXXX. XXXXXX is the head of security at that location, who I happened to be visiting while in Dublin. He'll get it back to me.

The phone was delivered, undamaged, to Logan's colleague's office in Dublin on Dec. 3. "I had him drop it off at a neutral site in Dublin," he says. Turns out Martin had paid 300 euros to someone else who had either stolen or purchased the stolen phone.

Logan says the other method he had planned to use to name and shame the scammer was an email that could have traced his source IP address. "I would send him an HTML email with a link to an embedded one-pixel image that would GET from my Web server, which would reveal his source IP address," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.