Hackers using password phishing kits and fake receipts to access iCloud-locked iPhones

A new report from Motherboard today looks into the world of hacking iCloud-locked iPhones. While turning on Find My iPhone (which enables the iCloud lock) is generally thought to be quite secure, Motherboard highlights several ways that thieves, hackers, and coders are getting around the security feature to sell stolen (and non-stolen) devices.

Author Ad Placeholder
Will only appear on redesign env.

The primary way to get gain access to an iCloud-locked iPhone or iOS device is to enter the password for the iCloud account. The Motherboard article notes that there has been an uptick in muggings where thieves have been asking victims to enter their passwords to turn off Find My iPhone and log out of iCloud before stealing their device. However, that’s not the main way that thieves and hackers are trying to get around the iCloud lock. The two most popular approaches appear to be creating fake receipts and phishing scams, with phishing kits actually sold for novice iPhone thieves.

In practice, “iCloud unlock” as it’s often called, is a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they’re the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores. There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner.

Motherboard notes that there’s also an elaborate and complicated scheme to reprogram a stolen iPhone with a new IMEI number, but that it’s not very common.

The iPhone’s CPU can be removed from the Logic Board and reprogrammed to create what is essentially a “new” device (this is very labor intensive and rare. It is generally done in Chinese refurbishing labs and involves stealing a “clean” phone identification number called an IMEI.)

Another complicating matter is that often times legitimate companies like wireless carriers end up with iCloud-locked devices due to customer mistakes when trading in an iPhone. However, based on Motherboard’s research, Apple doesn’t appear to work with third-party companies to unlock iPhones in bulk. These companies add to the stream of iCloud-locked devices on the second-hand market.

There are many listings on eBay, Craigslist, and wholesale sites for phones billed as “iCloud-locked,” or “for parts” or something similar. While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones—including some iCloud-locked devices—are sold in bulk at private “carrier auctions” where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)

The community of iPhone hackers, coders, and thieves has grown along with the increase in iCloud-locked iPhone sales. They often communicate via group chats with apps like Telegram to share tips and tricks. Motherboard was able to gain access to one such chat group and learned more about how they approach unlocking iPhones.

Every day, members of this 100-strong group chat share tips on how to trick victims into handing over iCloud passwords, upload photos of their successful unlocks, and share Apple-themed stickers. This is where many lost, stolen, or otherwise locked iPhones end up before hackers unlock them and the devices are sold again. The group is a near constant stream of people’s phones and the messages left on their iPhone’s lock screen.

Hackers seem to be using unofficial tools to check on the status of iPhone iCloud-lock status to help them start the process of getting around the security feature.

Motherboard was not able to confirm the exact database that scammers are using, but tested several online services that returned accurate information about a Motherboard device, including whether Find My iPhone was activated and whether it was reported as lost, stolen or ‘clean’.

More concerning, is that some third-parties claim to sell access to Apple’s internal system, GSX for $199. However, some of the offers Motherboard encountered appeared to be scams.

Motherboard found several advertisements offering access to GSX accounts or related information online. One was on a bitcoin-focused forum, others were online ads asking potential customers to email them; Motherboard exchanged emails with one person claiming to sell GSX accounts for $199 a piece. Several Twitter users also claimed to be selling access. (Some people advertising GSX accounts on Twitter appear to be scammers, however.)

As for the iCloud-lock phishing kits that are being sold, they are custom designed to trick the owner of the lost or stolen iPhone into giving up their password. They even offer the novice thief tutorial videos on the process.

Whereas more generic phishing kits may be used by a hacker for a number of different purposes, perhaps for stealing banking details, email credentials, or online accounts in general, these kits are specifically designed to phish iCloud accounts. The iCloud phishing kits come with templates designed to trick a victim that their iPhone was found. These kits allow a hacker to send SMS messages that appear to come from Apple that could trick a victim into giving up their iCloud credentials, and the kits can even generate fake maps of where the victim’s phone has apparently been discovered to further entice them. The kits keep track of a hacker’s list of targets, provide notifications on successful phishes, and some require next to no technical setup, according to tutorial videos on how to use them.

The iCloud specific phishing kits are sold for as little as $75.

BlackViirus, the developer behind ProKit, told Motherboard in an online chat that his product costs $75, and he uses a network of resellers to distribute the phishing kit further. BlackViirus claims to have over 1,500 customers. Phishing is a scale operation, with some iCloud unlockers claiming to process bulk orders. They often accept payment using PayPal or Skrill, another money transfer service.

As for the fake receipt approach, Mick Ventocilla, owner of Lakshore Tech Repair told Motherboard that he knows people in the repair industry who attempt the tactic.

“You formulate a fake receipt, take it to the Apple Store, and say ‘Hey, I forgot my Apple ID information, but here’s a receipt,’” Mick Ventocilla, owner of Lakeshore Tech Repair, a smartphone repair shop in Michigan, told Motherboard. Ventocilla says he does not try to unlock iCloud but knows many in the repair industry who do. “They remove it. That’s one of the most common ways.”

In another underground chat, Motherboard discovered fake iPhone receipts going for about $150.

Motherboard accessed another Telegram chat room that focused just on providing access to copies of carrier receipts. Here, scammers charged around $150 for a single invoice, or a discount if they buy two.

Some hackers report that they even have gotten the iCloud-lock removed from iPhones via email with Apple Support.

Armed with a legitimate-looking Apple invoice filed with accurate information about the phone such as its IMEI number—a unique, per device identifier code—and its estimated date of purchase, scammers can ask Apple customer support to remove iCloud from the device. Scammers don’t always need to go into an Apple store to do this—screenshots shared in the invoice chat room show successful iCloud removals by just conversing with Apple support over email. This likely only works with phones that have not been marked as stolen, however.

The full story is a fascinating read, check out the full Motherboard article here.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel