Two weeks ago, I was on holiday in Turin, Italy and made a boo boo. I forgot my phone in our rental car for a two hour visit to a local outdoors spa (Acquajoy, great fun especially for the kids!). The end result was unfortunate: when we returned to the car, a window was smashed and my iPhone stolen.

I immediately did the obvious things, i.e. used my wife’s phone to call mine (as expected, it was powered off), marked the phone lost in Find my iPhone app, entered a text to display on the phone in case it ever returns online, clicked all the “send me email when the phone returns online” checkboxes and drove for lunch. Nobody could access my data on the phone and since it’s connected to my iCloud account, others can’t reactivate the phone for themselves.

We got the car window fixed in a matter of hours, I later bought a new phone etc etc, but then yesterday — eleven days after the phone was stolen — the most interesting thing happened: I got an SMS and an email notifying that the phone was found!

The email looks exactly like an Apple email should. The sender is “Apple”. Google Inbox, Apple Mail and the traditional Gmail all let the email pass as non-suspicious. All the links in the footer lead to the right places.

I of course rushed to the address on the link and then started typing my credentials, but then suddenly stopped. Something was just not right.

At this point it’s probably best to note that I’m sort of professional. I’m managing director in a company that builds and supports large scale websites. We deal with web stuff all day long. I’m pretty sure many people would have just punched in their apple id and password and only then wondered why the login doesn’t work.

It does look very convincing, doesn’t it? All the links work, there’s jQuery features in place for a smooth user experience etc.

The moment of excitement

Let me take you inside the mind of a person who’s lost their phone for a while. You’re of course bummed that it got stolen in the first place. Everybody blames themselves at least a bit. Then, you set all the notifications on for notifying if it ever finds its way back online. Finally, you sort of forget it — and when messages finally arrive that it’s found, you rush at full speed to learn about your dear phone’s adventure.

Looking at the page above, there were two things that alarmed me. First, the address seemed a little off. Not really something Apple would use, is it? The real thing, however, was that connection to the server is not encrypted — you would see it on the address bar, like on a genuine Apple page below:

The lock and green text on the address bar show that the connection is secure and the site really belongs to Apple Inc.

Digging deeper, I noticed that the email was actually not from Apple, but from icloud.insideappleusa@gmail.com. The website is not registered to Apple, but some useless company in Nassau. The “iCloud login” makes a great shake gesture when submitting the credentials and says your account name or password invalid. While of course sending the “invalid” credentials to a save.php file for future exploitation.