How a security expert turned the tables on a fraudster trying to '0wn' his pilfered iPhone

Dark Reading Staff, Dark Reading

December 13, 2013

4 Min Read

A young iPhone scammer in Ireland had no clue who he was dealing with when he tried to shake down the owner of a stolen iPhone 5 he had acquired after it was snatched from the owner's coat pocket in a Dublin pub.

Turns out the iPhone belonged to security expert Ralph Logan, who was visiting Dublin in September on business and had been out for a pint or two one evening with a friend who was there as part of the roadie crew for former Pink Floyd band member Roger Waters' "The Wall" tour. Logan didn't realize his smartphone was missing until he and his fellow revelers were settled in at a second pub that night.

Logan's iPhone was locked with "Find My iPhone" enabled, so he messaged the phone with his name and hotel information in hopes someone had found it and would return it. "I didn't get any response," says Logan, who is a partner at Logan Haile. When he returned home to the States, he purchased a new iPhone 5S and "moved on."

But on Nov. 13, he received a message via Twitter from "Lee Cork," asking whether Logan had recently lost an iPhone 5 in Ireland. Logan confirmed that he lost his phone with a gray and orange case in Dublin, and gave Cork his Gmail address. (Cork had gleaned Logan's email from the stolen iPhone.)

Cork sent Logan this email message:

Lee Cork
Nov 13
Hi Ralph, My name Lee and I work for a company in Belfast which specialise in mobile technician repairs replace etc. A few days ago a guy came in with what is believed to be your phone to get it unlocked or used as parts but upon opening the phone up we came across your name and have be trying to track you down. I would like to return the phone to you but I need to take verification steps can you please forward on the following information:
1- Apple ID and Password
2- A list of 5 contacts numbers you would have used prior to the phone been lost.
3- Your Full name, phone number and Full address.
Lee Cork, RTP General Manager

That's how "Lee" gave himself away as a scammer: The iPhone 5 required Logan's Apple ID and passcode to reinstall the iOS, a feature that prevents thieves from wiping and using stolen phones as their own, so Lee was obviously neither a Good Samaritan nor a sophisticated scammer. Logan then decided it was time to root out the scammer who had his iPhone. "As soon as I got that email, I launched my black-box investigation," he says.

Logan declined to share details of his investigation on the record, but said he was able to dig up some key information on Lee, including his real name -- Martin -- his real email address, his girlfriend's name, and his brother's name. After "Lee" emailed him again for the iPhone credentials and information, Logan responded with an email sent to both Martin's scammer and real email addresses.

The email, said, in part:

Nov 29, 2013 Martin, Firstly, you can drop the idiotic pretense of being Lee Cork in Belfast. You are Martin XXXXXX in Dublin. Secondly, I know you acquired my stolen phone as I've been investigating you for weeks now. The bad news for you is worse than just being out of pocket some money. The bad news is that you acquired stolen property that is owned by a very capable and determined professional security investigator. It's what I do for a living. I currently have enough evidence to roll up and remand you into custody anytime I want. However I've taken this a bit personally and don't want to involve the Irish local authorities just yet.

Logan then dropped the first names of Martin's girlfriend, brother, and mother in the message, and gave him an ultimatum:

Here's what I've decided to do. I'm literally giving you until Wednesday, December 4th to take my phone and drop it with the receptionist at XXXXXX at the following address: xxxxxxxx, Dublin 2 You can tell the receptionist any story you like, but have her label the phone for XXXXXX. XXXXXX is the head of security at that location, who I happened to be visiting while in Dublin. He'll get it back to me.

The phone was delivered, undamaged, to Logan's colleague's office in Dublin on Dec. 3. "I had him drop it off at a neutral site in Dublin," he says. Turns out Martin had paid 300 euros to someone else who had either stolen or purchased the stolen phone.

Logan says the other method he had planned to use to name and shame the scammer was an email that could have traced his source IP address. "I would send him an HTML email with a link to an embedded one-pixel image that would GET from my Web server, which would reveal his source IP address," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights