Scammers phishing for sensitive iPhone data

Scammers phishing for sensitive iPhone data

Summary: iPhone users beware - an ongoing phishing campaign impersonating Apple.com, attempts to trick users into submitting sensitive device information that could potentially lead to the cloning of the device.

SHARE:

iPhone users beware - an ongoing phishing campaign impersonating Apple.com, attempts to trick users into submitting sensitive device information, with the scammers in a perfect position to use the data in a countless number of fraudulent variations.

Here are more details on the campaign, and why would phishers want access to such information.

The phishing campaign has been in circulation for over two weeks, and continues using the "FREE 1 Year Warranty Extension Offer" theme in emails coming with subjects such as "IMPORTANT: Your FREE iPhone Warranty Extension for 1 Year!", leading to domain using fast-flux hosting infrastructure - www.apple.com.PHISHING.com/uk/iphone/warranty.htm.

What's also worth pointing out is that the phishers require the user to submit their email at the first stage of the process, presumably saving themselves time in validating it, or in an attempt to contact the recipient in the long-term requesting more data.

What are the phishers after? The email of the user, the Serial number, IMEI (International Mobile Equipment Identity), the type of iPhone (ie. 3G / 3GS) and the capacity of the device (ie. 16GB / 32GB).

Why would a phisher want access to such data? Whereas some would point out that they're interested in the practice due to the blocked IMEI numbers of stolen devices, which they can now change to ones that are not blacklisted, the long-term possibility of building inventories of such data to be re-sold to criminals looking for ways to bypass prepaid SIM restrictions, is a fully realistic one.

Over the past year, there have been numerous developments internationally aiming to restrict the selling of prepaid SIM cards, which offer a safe heaven for criminals since no personal identification is required/stored when purchasing them.

With safety measures varying from mobile carrier to mobile carrier, with only a few publicly disclosing the protections they've built in order to limit the use of cloned devices on their networks, there are still countries where the lack of basic restrictions is naturally resulting in demand for such data, which the cybercrime ecosystem can easily supply through phishing campaigns.

The entire business model can be undermined by the mobile carriers realizing the potential for abuse, and by those actually obliged by law to ensure such activities cannot take place within their networks.

Topics: Security, iPhone, Malware, Mobility

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Changing the IMEI won't give anyone access.

    Mandatory in GSM is authentication, which is per phone and known only to the handset manufacturer and the phone provider. So a phone that emulated yours would simply fail authentication and be rejected by the network.

    It makes me think they might be trying to learn this info to be able to hack directly into the phones themselves via specially crafted email/MMS and or plain old fraud by phishing customer service for "help" with the account?

    TripleII
    TripleII-21189418044173169409978279405827
    • Ahh, mixing apples and CDMA, lol.

      The iPhone is GSM only right now, authentication is not optional, however, in CDMA (and older TDMA networks) authentication is optional and some networks were slow to turn it on. As the linked last article suggested, you have to clone the physical SIM to get access.

      TripleII
      TripleII-21189418044173169409978279405827
    • Anyone can break the encryption used by GSM trivially.

      [b] [/b]
      AzuMao
      • No, they can't.

        You have to have access to the data stream with complex sniffing equipment. It isn't like these phishers are sitting outside your home sniffing the airwaves to collect your phone's authentication answers.

        The "easy" cracking of GSM algorithms is technically easy, as long as you have the data stream.

        TripleII
        TripleII-21189418044173169409978279405827
        • Eavesdropping on wireless transmissions tends to be..

          ..even easier than on wired ones.

          So if HTTPS used an even weaker algorithm
          than GSM does, that would be fine with you?
          AzuMao
          • Define easy?

            You don't have access to the radio stream unless you are close to the phone. Also, the authentication that verifies the phone is who it is supposed to be hasn't been cracked yet. The stories about "easily" cracking the GSM stream, well, define easy like above.

            TripleII
            TripleII-21189418044173169409978279405827
          • I think we're having a communications breakdown here.

            By "Anyone can break the encryption used by GSM
            trivially." I was referring to the encryption used
            by GSM. Not whatever you're talking about.
            AzuMao
  • Keep us posted

    Been chewing on, and talking with some of my colleagues about what they could do with this information, and we suspect the most likely would be either some form of carrier and/or subscriber extortion. Brick the phone and ask for money or blackmail the provider by interfering with valid customers through bogus network requests.

    TripleII
    TripleII-21189418044173169409978279405827