Full Report
The Swiss National Cyber Security Centre (NCSC) is warning iPhone owners about a phishing scam that claims to have found your lost or stolen iPhone but is actually trying to steal your Apple ID credentials. [...]
Analysis Summary
# Tool/Technique: Lost iPhone Phishing Scam
## Overview
This is a targeted phishing campaign, utilizing SMS or iMessage (smishing), designed to steal Apple ID credentials from iPhone owners who have lost or had their devices stolen. The scam leverages information potentially visible on the device's lock screen (like device model and color) to create a seemingly legitimate message claiming the device has been found. The ultimate goal is to trick the victim into entering their credentials on a fake website, which allows the attacker to disable Apple's Activation Lock.
## Technical Details
- Type: Technique (Phishing/Social Engineering)
- Platform: iOS (Targeted via SMS/iMessage)
- Capabilities: Credential harvesting, Apple ID theft, social engineering via crafted messages.
- First Seen: Unknown (Reported by NCSC in November 2025)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (While not an attachment, the concept of tailored communication is present)
- T1566.002 - Spearphishing Link (Directly applicable due to the use of malicious links)
- TA0009 - Collection
- T1555 - Credentials from Password Stores (Harvesting credentials directly defeats this protection)
## Functionality
### Core Capabilities
- **Targeted Communication:** Sending SMS or iMessages containing fabricated information about a found lost iPhone (e.g., model, color).
- **Credential Harvesting:** Directing victims to a deceptive website mimicking the Apple Find My service login page to capture Apple ID and password pairs.
- **Social Engineering:** Exploiting the user's hope and urgency following the loss of an expensive device.
### Advanced Features
- **Information Correlation:** Potentially using information visible on the locked device screen (via a "Lost Mode" custom message) to lend credibility to the phishing message.
- **Goal-Oriented Execution:** The specific aim is to remove Activation Lock, suggesting the attackers intend to either use or resell the compromised device.
## Indicators of Compromise
- File Hashes: N/A (This is a delivery mechanism, not a file-based malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Links redirecting to phishing pages mimicking `icloud.com` or Apple login portals (e.g., `hxxp://phishingdomain[.]com/findmy/login`).
- Behavioral Indicators: Receiving unsolicited SMS/iMessage related to a lost device prompt urging immediate login via a presented link.
## Associated Threat Actors
- Threat actors known to target Apple device owners for resale or to exploit associated ecosystem services. The specific group is not named in the context, but they are opportunistic criminals.
## Detection Methods
- Signature-based detection: Not practical for the initial message itself unless specific URLs are blocked.
- **Behavioral detection:** Monitoring user behavior for navigating from an unsolicited text message link directly to a login prompt for Apple services.
- YARA rules: Not applicable for infrastructure-less social engineering.
## Mitigation Strategies
- Never click links in unsolicited messages (SMS or iMessage), especially those claiming to be from support or regarding lost devices.
- If a device is truly lost, use official channels only: `iCloud.com/find` or the dedicated Find My application on another trusted Apple device.
- Enable Lost Mode immediately via official means to secure the device.
- Use a dedicated, non-primary email address for contact information displayed on a lost device's lock screen message, if necessary.
- Ensure the SIM card is protected with a PIN to prevent attackers from obtaining the phone number for targeted outreach.
- Rely on the NCSC advisory: Apple will never contact users via SMS or email to report a found device.
## Related Tools/Techniques
- Smishing (SMS Phishing)
- Website Cloning (used for the fake login portal)
- Credential Theft via Phishing