Your iPhone Gets Stolen. Then the Hacking Begins

Every year, millions of phones are stolen. While thousands of iPhones are shipped to China and breached down for parts, criminals tin marque much wealth selling a instrumentality that has been unlocked and wiped. Now researchers person unpicked portion of the underground web of cybercrime services that tin assistance supply entree to stolen iPhones.

Across the web and connected Telegram, there’s a “thriving” ecosystem of bundle sellers helping powerfulness the marketplace for stolen iPhones by providing “unlocking” tools and the exertion to nutrient phishing messages to assistance get entree to a phone, according to findings from researchers astatine cybersecurity steadfast Infoblox. The institution says it has tracked “dozens” of groups selling unlocking tools, mostly with a absorption connected iPhones, and has linked much than 10,000 phishing websites to the activity. Traffic to these domains accrued 350 percent past year, the researchers say.

“Reselling is simply a 100 percent what they’re going for,” says Maël Le Touz, a unit menace researcher astatine Infoblox, who says radical from each astir the satellite look to beryllium buying entree to the pay-per-use software. The mean outgo is beneath $10. “Most of the radical looking to unlock phones intelligibly don’t person thousands of phones successful their hands—they’re not astatine that scale,” Le Touz says.

Over the past fewer years, the fig of phones being stolen has risen—for example, with astir 80,000 devices being taken successful London successful 1 year. While Apple and Google person improved their protections for stolen devices, a assortment of more- and less-sophisticated thieves tin inactive marque wealth from stolen handsets: If a telephone is unlocked oregon a thief has its passcode, they tin perchance bargain wealth from online slope accounts oregon crypto wallets; those snatching phones connected the streets oregon successful bars tin marque hundreds of dollars selling them on.

“Phone thieves don’t conscionable privation the handset—they privation entree to slope accounts and idiosyncratic information,” says Will Lyne, the caput of economical and cybercrime astatine London’s Metropolitan Police. Lyne highlights 1 lawsuit of 4 men who had been caught handling much than 5,000 stolen phones and spending wealth from fiscal accounts connected the devices.

Dan Guido, the CEO and cofounder of information steadfast Trail of Bits and a strategical advisor to mobile information steadfast iVerify, says a stolen telephone whitethorn lone beryllium worthy $50 to $200 erstwhile it is locked. “But if you unlock it, it’s worthy $500, oregon it’s worthy $1,000.” That quality tin promote radical to make ways to effort and get into devices. “This full happening is an ecosystem, and there’s aggregate radical astatine antithetic levels of the proviso concatenation that each enactment unneurotic successful bid to unlock phones,” helium says.

Security researchers astatine Infoblox started looking into the stolen-phone unlocking system earlier this twelvemonth erstwhile a law-enforcement-related interaction successful Asia messaged them saying their iPhone had been stolen and they had received a phishing connection aft including alternate interaction details connected the locked device. A nexus successful the phishing leafage mimicked an Apple Find My leafage and showed a mendacious representation with the phone’s location—it past showed a pop-up asking for the phone’s PIN code.

Numerous radical online, arsenic good arsenic the Swiss National Cybersecurity Center, person reported receiving phishing messages aft losing oregon having their iPhones stolen, with the attackers aiming to get entree to Apple iCloud accounts and region them from phones. “To marque the messages look convincing, they see close details of the missing device—such arsenic its model, colour, and retention capacity—which the scammers tin work straight from the telephone itself,” the Swiss assemblage wrote successful November. “As determination is nary known mode to bypass this lock, tricking the proprietor done societal engineering is the lone realistic enactment for criminals.”