Discovering the Infrastructure of an iCloud Phishing Scam | Intel 471 Skip to content
blog article

Discovering the Infrastructure of an iCloud Phishing Scam

Aug 21, 2022
Lindsey lamont Uwn H5j Srdr4 unsplash 1536x1097

In a lot of major cities in the world, pickpocketing and phone-snatch robberies are very common. Modern smartphones are expensive and easy to sell, and it makes them better targets than wallets that often contain no cash. There’s a reassuring catch to this malicious activity however, in that most modern smartphones, such as iPhones, are locked down even when factory reset, and can only be unlocked and used with the original owner’s password.


In this article, our anonymous author uses SpiderFoot to take a deep dive into how these criminals try to get this information from their victims, and what infrastructure they employ to make this happen.


Background on the Scam


After an individual I’m close with (who I will not disclose given the circumstances) was robbed overseas, I had the unique opportunity of following the campaign the criminals launched on them in order to try and recover the stolen phone from the iCloud lock. Without getting past this lock, the criminals are left with a rather expensive paperweight, and certainly not something worth the effort of acquiring in the first place.


After the initial snatch, the adversaries work quickly. Often once they’ve left the scene, the phone is put on airplane mode so that services like “Find My” cannot be used to track them. Once this is done, at least in this case – there is radio silence.


Weeks later, a notification was received stating that the Erase command sent to the phone was successful, and Find My had finally updated the phone’s location after it had connected to the Internet again:


Find My locates the iPhone after the theft

Shortly before this, the user received the first phishing text message. Then, over the coming weeks, they continued to receive them as the criminals evidently weren’t getting what they wanted. Each time, we sat down and studied the URLs from the text messages in an attempt to piece together what we could about the infrastructure, and what techniques they were employing.


My working theory at this stage was that the phone had been offloaded to a more competent adversary, or they were using some kind of Software-as-a-Service (SaaS) platform for phone thieves, as the phishing pages referenced from the text messages were pretty good:


Fake iCloud sign in page used for phishing iCloud credentials

Mind you, I had to edit the fake email I put there when I was testing the inputs (to be a bit more ‘friendly’ for this article). The link you see there was received in a text, and here are some examples of what they looked like. They were far less convincing than the above, aiding my theory that this wasn’t being run by the same thieves – who were often stupid enough to use actual Romanian phone numbers to send the texts:


Smishing texts, including links to investigate!

Scanning the Infrastructure


With a handful of artifacts from this campaign – the URLs above and two Romanian mobile numbers – I put SpiderFoot to work to try and discover a bit more about this setup.


SpiderFoot discovered data summary

The majority of what SpiderFoot has found is network objects – which is to be expected when 4 of our 6 artifacts are network objects themselves. We’re hoping to see a few things from this scan:


  • Related domains that the IP we have is running.
  • Other related IPs running similar setups.
  • What kind of software is in use?
  • Anything we can get on those phone numbers.

We got pretty much what we wanted thanks to SpiderFoot, and what looks like quite a bit more.


Domain Names All The Way Down


The majority of the network objects found in the scan originated around the primary IP for each of the websites, and nearly 200 more similarly named sites intending to be iCloud.com lookalikes.


Node graph of affiliated domain names, generated by SpiderFoot

All of this infrastructure appears to be running out of two countries: Ukraine and Russia. For most cybersecurity professionals, this would come as no surprise. Russia is an obvious hive for malicious service providers that enable a range of anonymously purchased services for these kinds of activity. Ukraine on the other hand is less known for this, but lack of legal controls and judicial oversight around online service providers and the availability of cryptocurrency purchase options enables them to be used for malicious purposes. You won’t often find legitimate .ru services running from these IPs, but you’ll find legitimate .ua services co-hosted on the same IPs as malicious services.


SHODAN discovered various services running from the main Russian IP, including OpenSSH (as expected, to interface with the server) and MySQL. MySQL is likely storing a schema of credentials collected through the phishing exploits, and is open remotely to be accessed by the criminals. Interestingly, they are also running exim-smtpd, a mail transfer service that’s likely being used to dish out phishing as well as the ‘smishing’ we’ve already seen.


Sophisticated Campaign, Incompetent Operators


We didn’t get too much on the phone numbers, but honestly this is because there isn’t a lot to find when the numbers are bought for purpose, used right after, and aren’t used for any other purpose. SpiderFoot found that the carrier used was Orange, and of course that they were Romanian phone numbers (evident from the country calling code). I did some outside research on the numbers using various local Romanian services, as well as some more general OSINT search tools to try and learn more, but ultimately there wasn’t anything else to gather beside the carrier name.


The attackers were using some kind of makeshift SMS gateway to send the majority of the texts, but after little activity from their victim they resorted to using these cheap Orange SIMs to send out the malicious links themselves. This kind of activity unnecessarily exposes the numbers being used, and in any other case this could be their downfall. The rest of the campaign was quite slick in comparison to this behavior, which led me to believe that they were merely hiring out an existing phishing/smishing software, as opposed to being the ones behind the entire setup.


Lessons Learned


The key takeaway here is that you should always be more careful with your belongings, especially those metal and glass bricks we carry around that run our lives. In busy cities, don’t be on your phone on the street without paying attention to your surroundings. Thieves on scooters can ride past and grab it, or if you’re sitting down somewhere with your phone on the table, it can be easily grabbed or covered with a distraction and slid away. However, this isn’t always what saves you in reality, as there’s many ways scammers and thieves can get their hands on your belongings and it can be daunting to always be paranoid of this happening to you. Having a proper cloud backup solution set up for your phone, and a way to lock it down and track it are good ways to ensure your data and your phone cannot be used by the thieves, and it renders this device essentially worthless.


SpiderFoot enabled me to turn this awful situation into an interesting venture into the inner workings of these criminal groups, and it shows just how sophisticated and easy to come by the tools that can be used to try and access a locked down phone. Finding the infrastructure underneath the URLs was incredibly easy and fast, and SpiderFoot even unveiled hundreds of other domains that were also in use for the same purpose. In this process I also obtained the criminal’s address in Bucharest, but I opted not to dig too deeply into this. The temptation to organize someone to egg the house was high, but ultimately I don’t trust the accuracy of Find My’s maps to do this.


As a final note, never click links in your texts, for whatever reason. Even legitimate links can easily be accessed through other means by just visiting the website, or opting to get it another way.