Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:27 PM
Connect Directly

Security Expert Unmasks His Scammer

How a security expert turned the tables on a fraudster trying to '0wn' his pilfered iPhone

A young iPhone scammer in Ireland had no clue who he was dealing with when he tried to shake down the owner of a stolen iPhone 5 he had acquired after it was snatched from the owner's coat pocket in a Dublin pub.

Turns out the iPhone belonged to security expert Ralph Logan, who was visiting Dublin in September on business and had been out for a pint or two one evening with a friend who was there as part of the roadie crew for former Pink Floyd band member Roger Waters' "The Wall" tour. Logan didn't realize his smartphone was missing until he and his fellow revelers were settled in at a second pub that night.

Logan's iPhone was locked with "Find My iPhone" enabled, so he messaged the phone with his name and hotel information in hopes someone had found it and would return it. "I didn't get any response," says Logan, who is a partner at Logan Haile. When he returned home to the States, he purchased a new iPhone 5S and "moved on."

But on Nov. 13, he received a message via Twitter from "Lee Cork," asking whether Logan had recently lost an iPhone 5 in Ireland. Logan confirmed that he lost his phone with a gray and orange case in Dublin, and gave Cork his Gmail address. (Cork had gleaned Logan's email from the stolen iPhone.)

Cork sent Logan this email message:

Lee Cork

Nov 13

Hi Ralph, My name Lee and I work for a company in Belfast which specialise in mobile technician repairs replace etc. A few days ago a guy came in with what is believed to be your phone to get it unlocked or used as parts but upon opening the phone up we came across your name and have be trying to track you down. I would like to return the phone to you but I need to take verification steps can you please forward on the following information:
1- Apple ID and Password
2- A list of 5 contacts numbers you would have used prior to the phone been lost.
3- Your Full name, phone number and Full address.

Lee Cork, RTP General Manager

That's how "Lee" gave himself away as a scammer: The iPhone 5 required Logan's Apple ID and passcode to reinstall the iOS, a feature that prevents thieves from wiping and using stolen phones as their own, so Lee was obviously neither a Good Samaritan nor a sophisticated scammer. Logan then decided it was time to root out the scammer who had his iPhone. "As soon as I got that email, I launched my black-box investigation," he says.

Logan declined to share details of his investigation on the record, but said he was able to dig up some key information on Lee, including his real name -- Martin -- his real email address, his girlfriend's name, and his brother's name. After "Lee" emailed him again for the iPhone credentials and information, Logan responded with an email sent to both Martin's scammer and real email addresses.

The email, said, in part:

Nov 29, 2013


Firstly, you can drop the idiotic pretense of being Lee Cork in Belfast. You are Martin XXXXXX in Dublin. Secondly, I know you acquired my stolen phone as I've been investigating you for weeks now. The bad news for you is worse than just being out of pocket some money. The bad news is that you acquired stolen property that is owned by a very capable and determined professional security investigator. It's what I do for a living. I currently have enough evidence to roll up and remand you into custody anytime I want. However I've taken this a bit personally and don't want to involve the Irish local authorities just yet.

Logan then dropped the first names of Martin's girlfriend, brother, and mother in the message, and gave him an ultimatum:

Here's what I've decided to do. I'm literally giving you until Wednesday, December 4th to take my phone and drop it with the receptionist at XXXXXX at the following address: xxxxxxxx, Dublin 2

You can tell the receptionist any story you like, but have her label the phone for XXXXXX. XXXXXX is the head of security at that location, who I happened to be visiting while in Dublin. He'll get it back to me.

The phone was delivered, undamaged, to Logan's colleague's office in Dublin on Dec. 3. "I had him drop it off at a neutral site in Dublin," he says. Turns out Martin had paid 300 euros to someone else who had either stolen or purchased the stolen phone.

Logan says the other method he had planned to use to name and shame the scammer was an email that could have traced his source IP address. "I would send him an HTML email with a link to an embedded one-pixel image that would GET from my Web server, which would reveal his source IP address," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.