Having
your personal property stolen on vacation is a nightmare traveling
scenario - and, even more so if it's later used to instigate a phishing attack. Adalsteinn Jonsson,
Threat Researcher and Data Scientist at Cyren, divulges the
details of the time his vacation with his girlfriend in Switzerland ended with
her iPad in the hands of cybercriminals for a targeted phishing attack.
VMblog: How did your girlfriend's iPad get
stolen?
Adalsteinn Jonsson: My girlfriend and I were traveling by train at night in Switzerland
from Lausanne to Bern. Both of us had backpacks, which we stored in the
overhead compartment above our seats. At one of the train stops, a man came
onboard and proceeded to sit across from us. He didn't appear suspect, wearing
business clothes and looking like a typical commuter.
Before he sat down, he moved my girlfriend's backpack in the overhead
compartment to place his backpack between the two of ours. I thought this was
strange and watched him while he did that, but he didn't seem to care. It was
only after we arrived at our destination that we realized my girlfriend's
backpack was nowhere to be found and that the man had taken it with him.
While extremely unlucky for my girlfriend, the thief was lucky that
night-the backpack had several valuables, including a wallet with credit cards,
two laptops and an iPad. The total cost of everything stolen was over $4,000.
VMblog: Give us a play by play of what
happened - when the iPad was stolen to when the phishing attack campaign
was launched.
Jonsson: Immediately, we locked all of the credit cards and reported the Apple
products, one iPad and one MacBook, as lost. We left a message on the iPad
stating that it was stolen and provided contact details to return to us if
found.
The next day we reported the theft to the police and while they
recorded the serial numbers to investigate, they warned us that the stolen
devices were unlikely to be returned. We also tried to track the location of
the devices, but they weren't updated until a few days later and by then, they
were already in France.
Six months after the theft, the police didn't have any leads and we
lost all hopes of getting the devices back. Suddenly, my girlfriend received a
text message from an American number claiming to be Apple support with news
that her stolen iPad was found. My girlfriend was certain this was her iPad
since it was the same model and the location dot on the map was in the same
city it was stolen from. Just as she was about to enter her password, I took a
look at the website as I was suspicious that Apple would contact her by text
message.
My suspicions were correct-the link in the text message
(hxxp://maps-api[.]me/g2ksb8) didn't look trustworthy and the URL redirected to
a site that, while looking legitimate at first glance, had the domain
"id-activation[.]com" and "iCloud" was only a CNAME record, or sub-domain.
Meaning, the host didn't own the "iCloud" domain, but only
"id-activation[.]com".
VMblog: How are stolen devices used in
phishing campaigns?
Jonsson: In this case, the Lost Mode message on the stolen device gave the
criminals the phone number they need to target the phishing attack. Beyond
that, the stolen device is the goal of the campaign. The attackers need the
victim's login credentials so they can reset the phone and sell it.
VMblog: Why are we seeing a proliferation of phishing attacks?
Jonsson: Simply put, it's because they work. Criminals have figured out how to
slip their attacks through traditional email security defenses, and they're
messages are increasingly hard for users to spot as fake. These definitely
aren't the poorly written, almost comically unbelievable pretexts from a few
years ago. Phishing kits are created and sold by software professionals so
anyone with a few hundred dollars can access sophisticated tools that you don't
have to be sophisticated to use.
VMblog: What advice would you give to
someone if they have an ipad or iphone stolen?
Jonsson: Device encryption is a long-time best practice to secure sensitive
information in the event of the loss or theft of a device. However, it is
important to note that device encryption is only secure as the password
required to unlock it.
Individuals can further protect their devices by routinely backing up
the data on their phone. Use strong and unique passwords along with
multi-factor authentication. Specialized anti-phishing solutions are available
from email security companies, and many wireless carriers have services so you
can submit suspicious phone numbers. For high value items, such as laptops and
tablets, having an insurance policy that covers the replacement cost if the
devices are lost or stolen is also an option.
Most importantly, if your device is stolen, do not expose sensitive
data like passwords or payment information if someone contacts you. Hang up the
phone or delete the message, find the company's contact information online and
reach out to them directly.
VMblog: These attackers happened to mess
with the wrong person. How could Cyren have helped prevent this?
Jonsson: Cyren has a lot of expertise and technology in the areas of email
threat detection - phishing, malware, spam, botnets, etc. This story is a great
example of the ‘last mile' problem businesses must solve to effectively protect
their organizations from zero-day and targeted attacks. To answer your question
directly, we have detection engines and global threat intelligence that service
providers and technology companies can integrate into their services to help
detect and prevent threats like this. We also have solutions for enterprises like
Cyren Inbox Security that not only detects unique threats but also
automatically removes, generally before users even read the message.
##