March 4, 2020

My first spear-phish

I lost my phone and the crook tried to remove activation lock.

My first spear-phish

My iPhone 7+ was stolen on Bourbon St during Mardi Gras. I set it to the "Lost Phone" setting in iCloud and assumed it was gone forever.

Find My Phone, where did Zigzu go?

I had a moment of hope today though, I got a text message saying my phone has been found! I just need to login with my password. Something seemed strange though:

see-mesh.com doesn't seem like an Apple domain

Odd, I don't remember see-mesh.com being an Apple property. Curiously, I opened up incognito on my laptop to see what would happen:

Looks sort of legit for a phish

If someone really wanted their phone back, they would probably ignore the domain name and just look at "apple.com". I put in some curse words in for the email and password and the site 503'd shortly after. I have two factor on my account, so even if I did somehow space out and fall for this phish, I'd get a second chance.

I reported the domain to the registrar, godaddy.com, and it'll be one more whack'a'mole phish site for them.

So why would someone try to get my password to my iCloud account? Once the attacker gets access, they can remove the activation lock on the phone and either sell it or trade it in. They could also unlock the device and decrypt all my personal data. Though for this attacker, they have only stolen a brick from me.