Virtualization Technology News and Information
VMblog Expert Interview: Cyren, a Stolen iPad, and a Phishing Attack


Having your personal property stolen on vacation is a nightmare traveling scenario - and, even more so if it's later used to instigate a phishing attack. Adalsteinn Jonsson, Threat Researcher and Data Scientist at Cyren, divulges the details of the time his vacation with his girlfriend in Switzerland ended with her iPad in the hands of cybercriminals for a targeted phishing attack.

VMblog:  How did your girlfriend's iPad get stolen?

Adalsteinn Jonsson:  My girlfriend and I were traveling by train at night in Switzerland from Lausanne to Bern. Both of us had backpacks, which we stored in the overhead compartment above our seats. At one of the train stops, a man came onboard and proceeded to sit across from us. He didn't appear suspect, wearing business clothes and looking like a typical commuter.

Before he sat down, he moved my girlfriend's backpack in the overhead compartment to place his backpack between the two of ours. I thought this was strange and watched him while he did that, but he didn't seem to care. It was only after we arrived at our destination that we realized my girlfriend's backpack was nowhere to be found and that the man had taken it with him.

While extremely unlucky for my girlfriend, the thief was lucky that night-the backpack had several valuables, including a wallet with credit cards, two laptops and an iPad. The total cost of everything stolen was over $4,000.

VMblog:  Give us a play by play of what happened - when the iPad was stolen to when the phishing attack campaign was launched.

Jonsson:  Immediately, we locked all of the credit cards and reported the Apple products, one iPad and one MacBook, as lost. We left a message on the iPad stating that it was stolen and provided contact details to return to us if found.

The next day we reported the theft to the police and while they recorded the serial numbers to investigate, they warned us that the stolen devices were unlikely to be returned. We also tried to track the location of the devices, but they weren't updated until a few days later and by then, they were already in France.

Six months after the theft, the police didn't have any leads and we lost all hopes of getting the devices back. Suddenly, my girlfriend received a text message from an American number claiming to be Apple support with news that her stolen iPad was found. My girlfriend was certain this was her iPad since it was the same model and the location dot on the map was in the same city it was stolen from. Just as she was about to enter her password, I took a look at the website as I was suspicious that Apple would contact her by text message.

My suspicions were correct-the link in the text message (hxxp://maps-api[.]me/g2ksb8) didn't look trustworthy and the URL redirected to a site that, while looking legitimate at first glance, had the domain "id-activation[.]com" and "iCloud" was only a CNAME record, or sub-domain. Meaning, the host didn't own the "iCloud" domain, but only "id-activation[.]com".

VMblog:  How are stolen devices used in phishing campaigns?

Jonsson:  In this case, the Lost Mode message on the stolen device gave the criminals the phone number they need to target the phishing attack. Beyond that, the stolen device is the goal of the campaign. The attackers need the victim's login credentials so they can reset the phone and sell it.

VMblog:  Why are we seeing a  proliferation of phishing attacks?

Jonsson:  Simply put, it's because they work. Criminals have figured out how to slip their attacks through traditional email security defenses, and they're messages are increasingly hard for users to spot as fake. These definitely aren't the poorly written, almost comically unbelievable pretexts from a few years ago. Phishing kits are created and sold by software professionals so anyone with a few hundred dollars can access sophisticated tools that you don't have to be sophisticated to use.

VMblog:  What advice would you give to someone if they have an ipad or iphone stolen?

Jonsson:  Device encryption is a long-time best practice to secure sensitive information in the event of the loss or theft of a device. However, it is important to note that device encryption is only secure as the password required to unlock it.

Individuals can further protect their devices by routinely backing up the data on their phone. Use strong and unique passwords along with multi-factor authentication. Specialized anti-phishing solutions are available from email security companies, and many wireless carriers have services so you can submit suspicious phone numbers. For high value items, such as laptops and tablets, having an insurance policy that covers the replacement cost if the devices are lost or stolen is also an option.

Most importantly, if your device is stolen, do not expose sensitive data like passwords or payment information if someone contacts you. Hang up the phone or delete the message, find the company's contact information online and reach out to them directly.

VMblog:  These attackers happened to mess with the wrong person. How could Cyren have helped prevent this?

Jonsson:  Cyren has a lot of expertise and technology in the areas of email threat detection - phishing, malware, spam, botnets, etc. This story is a great example of the ‘last mile' problem businesses must solve to effectively protect their organizations from zero-day and targeted attacks. To answer your question directly, we have detection engines and global threat intelligence that service providers and technology companies can integrate into their services to help detect and prevent threats like this. We also have solutions for enterprises like Cyren Inbox Security that not only detects unique threats but also automatically removes, generally before users even read the message.


Published Thursday, February 03, 2022 7:32 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2022>