Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/19/2019
02:00 PM
Marc Rogers
Marc Rogers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Deconstructing an iPhone Spearphishing Attack

How criminals today bypass smartphone anti-theft protection and harvest AppleID and passwords taken from fake Apple servers.

The nature of spearphishing attacks has drastically evolved: We've moved from crudely written, poorly spelled scattergun operations to highly targeted campaigns that leverage knowledge about the victim to increase the attacker's chances of success. Once a focused attack on high-value targets, the mark has changed and the ordinary consumer is now in reach. A recent report revealed the rate at which people fall for mobile phishing attacks has increased 85% every year since 2011.

That's not to say that I'm not a fan of recent anti-theft technology adopted by smartphone manufacturers like Apple. I am. Before Apple released features like Find My iPhone and Activation Lock, iPhones were the most stolen item in almost every city. In 2012, over 50% of robberies in San Francisco involved theft of a mobile communications device. With resale prices of new iPhones of dubious pedigree surpassing $1,000, it's easy to see why. But within 12 months of the release of Activation Lock and Find My iPhone for iOS 7 in 2013, iPhone theft fell 50% in London, 40% in San Francisco, and 25% in New York. These features were exactly what we needed to head off surging crime rates. Unfortunately, there are few groups as innovative as criminals. Within months of Apple deploying these anti-theft measures, criminals found ways to limit their effectiveness.

Fast forward to today: When a smartphone is stolen, thieves now power it down and often place it into a foil-lined bag to prevent signals from reaching it. The devices are then powered up only when thieves are positive no signal can reach or inspect them. If the phone is out of date and a software vulnerability exists, they hack the phone and wipe it clean to be resold. If the phone is up to date but not valuable enough to resell, it is either junked or sold for parts. This can easily happen on both older and newer models of phones. For example, here's how an attacker launched a spearphishing attack this past summer during the San Francisco Pride Parade. On June 30, a pickpocket stole an iPhone X from a teenager during the parade. The phone was up to date and locked with FaceID, and had Activation Lock as well as Find My iPhone enabled. The teenager realized the phone lost within 10 minutes, and immediately enabled lost mode. Too late. The thief had immediately powered the phone down and knew better than to do anything with it.

A little over a week later, the owner started to receive messages, claiming to come from Apple:

Despite reporting the messages as "junk," per Apple's own instructions, the texts continued to flood in. At one point, more than 10 messages per day came in at all hours. The strategy — to spam the target with messages — aims to bully and wear victims down until they click a link just to make it stop. In this case, the attacker employed a system that rotated through several iCloud addresses and phone numbers to prevent the target from blocking or ignoring any of the messages. The repeated nature of the messages and the reappearance of specific examples of spelling, capitalization, and punctuation errors made it clear this was an automated system. 

If the target clicked on one of the links, they were immediately redirected to a fake Find My iPhone page that attempted to harvest their AppleID and password, as shown below, taken from fake Apple servers.

If the target entered their AppleID credentials into the site, the phone would have been quickly deleted from their account. And often, the first moment targets know this has happened is when the missing device disappears from the list of devices trackable through Find My iPhone.

Sometimes, for good measure, the thief will hijack the target's AppleID, changing email addresses and contact information to exploit the account further. As we become increasingly dependent on our online identities for tools like Apple Pay and online banking, the potential rewards from hijacking an account increase exponentially.

The Best Defense
Follow these eight simple measures to protect your privacy in the event of smartphone theft: 

  1. Make sure your device has a strong alphanumeric password in addition to using security features, including biometrics like facial or fingerprint recognition.
  2. If your device is lost or stolen, in addition to setting it to wipe and enabling lost mode, you should also change all of your passwords and log out of any accounts that you access via that device. 
  3. Speed is important. Start by immediately remotely locking your device and then move onto locking down your accounts. Even if you aren't sure if the device was misplaced, lost, or stolen, take steps to protect yourself.
  4. Some applications and services allow you to examine and kill sessions you don't recognize. If this feature is available, use it, but simply kill all sessions. Then you can log back in safely knowing that if a thief does gain access to your phone, they can't get into your accounts.
  5. While stories pop up from time to time about consumers recovering stolen devices themselves, it's usually a better idea to leave crime-fighting to the police.
  6. Take great care when handling messages with links. Never click on a link from an unknown sender and be very cautious with those from known senders. It's increasingly common for attackers to hijack legitimate email accounts in order to send malicious links to friends and family. 
  7. The more urgent a message seems, the more scrutiny you should give it. Attackers like to threaten, coerce, and demand because they know people act rashly when in a hurry.
  8. If a message claims to come from an institution you use, instead of clicking on the link, open a new browser window and go to its website. Alternatively, pick up the telephone and call it. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: A Beginner's Guide to Microsegmentation

 

 

 

Marc Rogers is the executive director of cybersecurity at Okta. With a career that spans more than 20 years, Marc has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the head of security for Cloudflare and spent a decade managing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.