WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.

First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”

The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says that stuff may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.

For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Cisco, whose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet).

WHILE MY SMART TV GENTLY WEEPS

Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.

The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.

ToDo / Future Work:
Build a console cable

Turn on or leave WiFi turned on in Fake-Off mode

Parse unencrypted audio collection
Clean-up the file format of saved audio. Add encryption??

According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs, and that the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.

Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.

But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.

Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.

As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”

By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”

The company went on to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”

As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.

Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).

TURNABOUT IS FAIR PLAY?

NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.

NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.

Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.

What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated by this exchange.

BUG BOUNTIES VS BUG STOCKPILES

Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”

The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?

On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit). Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.

Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.

“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”

Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”

“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”

Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.

“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”

This almost certainly won’t be the last time KrebsOnSecurity cites this week’s big CIA WikiLeaks trove. But for now I’m interested to hear what you, Dear Readers, found most intriguing about it? Sound off in the comments below.

Credit and debit card payments giant Verifone [NYSE: PAY] is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions, according to sources. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted.

San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations.

On Jan. 23, 2017, Verifone sent an “urgent” email to all company staff and contractors, warning they had 24 hours to change all company passwords.

“We are currently investigating an IT control matter in the Verifone environment,” reads an email memo penned by Steve Horan, Verifone Inc.’s senior vice president and chief information officer. “As a precaution, we are taking immediate steps to improve our controls.”

The internal Verifone memo — a copy of which was obtained by KrebsOnSecurity and is pictured above — also informed employees they would no longer be allowed to install software of any kind on company computers and laptops.

Asked about the breach reports, a Verifone spokesman said the company saw evidence in January 2017 of an intrusion in a “limited portion” of its internal network, but that the breach never impacted its payment services network.

“In January 2017, Verifone’s information security team saw evidence of a limited cyber intrusion into our corporate network,” Verifone spokesman Andy Payment said. “Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”

Verifone’s Mr. Payment declined to answer additional questions about the breach, such as how Verifone learned about it and whether the company was initially notified by an outside party. But a source with knowledge of the matter told KrebsOnSecurity.com that the employee alert Verifone sent out on Jan, 23, 2017 was in response to a notification that Verifone received from the credit card companies Visa and Mastercard just days earlier in January.

A spokesperson for Visa declined to comment for this story. MasterCard officials did not respond to requests for comment.

According to my source, the intrusion impacted at least one corner of Verifone’s business: A customer support unit based in Clearwater, Fla. that provides comprehensive payment solutions specifically to gas and petrol stations throughout the United States — including, pay-at-the-pump credit card processing; physical cash registers inside the fuel station store; customer loyalty programs; and remote technical support.

The source said his employer shared with the card brands evidence that a Russian hacking group known for targeting payment providers and hospitality firms had compromised at least a portion of Verifone’s internal network.

The source says Visa and MasterCard were notified that the intruders appeared to have been inside of Verifone’s network since mid-2016. The source noted there is ample evidence the attackers used some of the same toolsets and infrastructure as the cybercrime gang that last year is thought to have hacked into Oracle’s MICROS division, a unit of Oracle that provides point-of-sale solutions to hundreds of thousands of retailers and hospitality firms.

Founded in Hawaii, U.S. in 1981, Verifone now operates in more than 150 countries worldwide and employ nearly 5,000 people globally.

Update, 1:17 p.m. ET: Verifone circled back post-publication with the following update to their statement: “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

ANALYSIS

In the MICROS breach, the intruders used a crimeware-as-a-service network called Carbanak, also known as Anunak. In that incident, the attackers compromised Oracle’s ticking portal that Oracle uses to help MICROS’s hospitality customers remotely troubleshoot problems with their point-of-sale systems. The attackers reportedly used that access to plant malware on the support server so they could siphon MICROS customer usernames and passwords when those customers logged in to the support site.

Oracle’s very few public statements about that incident made it clear that the attackers were after information that could get them inside the electronic tills run by the company’s customers — not Oracle’s cloud or other service offerings. The company acknowledged that it had “detected and addressed malicious code in certain legacy Micros systems,” and that it had asked all MICROS customers to reset their passwords.

Avivah Litan, a financial fraud and endpoint solutions analyst for Gartner Inc., said the attackers in the Verifone breach probably also were after anything that would allow them to access customer payment terminals.

“The worst thing is the attackers have information on the point-of-sale systems that lets them put backdoors on the devices that can record, store and transmit stolen customer card data,” Litan said. “It sounds like they were after point-of-sale software information, whether the POS designs, the source code, or signing keys. Also, the company says it believes it stopped the breach in time, and that usually means they don’t know if they did. The bottom line is it’s very serious when the Verifone system gets breached.”

Verifone’s Jan. 23 “urgent” alert to its staff and contractors suggested that — prior to the intrusion — all employees were free to install or remove software at will. Litan said such policies are not uncommon and they certainly make it simpler for businesses to get work done, but she cautioned that allowing every user to install software anytime makes it easier for a hacker to do the same across multiple systems after compromising just a single machine inside the network.

“It sounds like [Verifone] found some malware in their network that must have come from an employee desktop because now they’re locking that down,” Litan said. “But the next step for these attackers is lateral movement within the victim’s network. And it’s not just within Verifone’s network at that point, it potentially expands to any connected partner network or through trusted zones.”

Litan said many companies choose to “whitelist” applications that they know and trust, but to block all others. She said the solutions can dramatically bring down the success rate of attacks, but that users tend to resist and dislike being restricted on their work devices.

“Most companies don’t put in whitelists because it’s hard to manage. But that’s hardly an excuse for not doing it. Whitelisting is very effective, it’s just a pain in the neck for users. You have to have a process and policies in place to support whitelisting, but it’s certainly doable. Yes, it’s been beaten in targeted attacks before — where criminals get inside and steal the code-signing keys, but it’s still probably the strongest endpoint security organizations can put in place.”

Verifone would not respond to questions about the duration of the breach in its corporate networks. But if, as sources say, this breach lasted more than six months, that’s an awful long time for an extremely skilled adversary to wander around inside your network undetected. Whether the intruders were able to progress from one segment of Verifone’s network to another would depend much on how segmented Verifone’s network is, as well as the robustness of security surrounding its various corporate divisions and many company acquisitions over the years.

The thieves who hacked Target Corp. in 2013, for example, were able to communicate with virtually all company cash registers and other systems within the company’s network because Target’s internal network resembled a single canoe instead of a massive ship with digital bulkheads throughout the vessel to stop a tiny breach in the hull from sinking the entire ship. Check out this story from Sept. 2015, which looked at the results of a confidential security test Target commissioned just days after the breach (spoiler alert, the testers were able to talk to every Target cash register in all 2,000 stores after remotely commandeering a deli scale at a single Target store).

The card associations often require companies that handle credit cards to undergo a third-party security audit, but only if there is evidence that customer card data was compromised. That evidence usually comes in the form of banks reporting a pattern of fraud on customer cards that were all used at a particular merchant during the same time frame. However, those reports come slowly — if at all — and often trickle up to the card brands weeks or months after stolen cards end up for sale in bulk on the cybercrime underground.

Corporate network compromises or the theft of proprietary source code (e.g. the same code that goes on merchant payment devices) generally do not trigger a mandatory third-party investigation by a security firm approved by the card brands, Litan said, although she noted that breaches which can be shown to have a material financial impact on the company need to be disclosed to investors and securities regulators.

“There’s no rule anywhere that says you have to disclose if your software’s source code is stolen, but there should be,” Litan said. “Typically, when a company has a breach of their corporate network you think it might hurt the company, but in a case when the company’s software is stolen and that software is used to transmit credit card data then everyone else is hurt.”

Sources told KrebsOnSecurity that Verifone commissioned an investigation of the breach from Foregenix Ltd., a digital forensics firm based in the United Kingdom that lists Verifone as a “strategic partner.” Foregenix declined to comment for this story.

LOW-HANGING FRUIT

Litan said if the attackers who broke into Verifone were indeed targeting payment systems in the filling station business, they were going after the lowest of the low-hanging fruit. The fuel station industry is chock-full of unattended, automated terminals that have special security dispensation from Visa and Mastercard: Fuel station owners have been given more time than almost any other industry to forestall costly security upgrades for new card terminals at gas pumps that are capable of reading more secure chip-enabled credit and debit cards.

The chip cards are an advancement mainly because they are far more difficult and costly for thieves to counterfeit or clone for use in face-to-face transactions — by far the most profitable form of credit card fraud (think gift cards and expensive gaming consoles that can easily be resold for cash).

After years of lagging behind the rest of the world — the United States is the last of the G20 nations to move to chip cards — most U.S. financial institutions are starting to issue chip-based cards to customers. However, many retailers and other card-accepting locations have been slow to accept chip based transactions even though they already have the hardware in place to accept chip cards (this piece attempts to explain the “why” behind that slowness).

In contrast, chip-card readers are still a rarity at fuel pumps in the United States, and Litan said they will continue to be for several years. In December 2016, the card associations announced they were giving fuel station owners until 2020 to migrate to chip-based readers.

Previously, fuel station owners that didn’t meet the October 2017 deadline to have chip-enabled readers at the pump would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card but was not asked or able to dip the chip. Now that they have another three years to get it done, thieves will continue to attack fuel station dispensers and other unattended terminals with skimmers and by attacking point-of-sale terminal hardware makers, integrators and resellers.

HOW WOULD YOUR EMPLOYER FARE?

My confidential source on this story said the closest public description of the email phishing schemes used by the Russian crime group behind both the MICROS and Verifone hacks comes in a report earlier this year from Trustwave, a security firm that often gets called in to investigate third-party data breaches. In that analysis, Trustwave describes an organized crime gang that routinely sets up phony companies and corresponding fake Web sites to make its targeted email phishing lures appear even more convincing.

The messages from this group usually include a Microsoft Office (Word or Excel) document that has been booby-trapped with malicious scripts known as “macros.” Microsoft disables macros by default in recent versions of Office, but poisoned document lures often come with entreaties that prompt recipients to override Microsoft’s warnings and enable them manually.

Trustwave’s report cites two examples of this social engineering; one in which an image file is used to obscure a warning sign (see below), and another in which the cleverly-crafted phishing email was accompanied by a phone call from the fraudsters to walk the recipient through the process of manually overriding the macro security warnings (and in effect to launch the malware on the local network).

According to Trustwave, this Russian hacking group prefers to target companies in the hospitality industry, and is thought to be connected to the breaches at a string of hotel chains, including the card breach at Hyatt that compromised customer credit and debit cards at some 250 hotels in roughly 50 countries throughout much of 2015.

In a common attack, the perpetrators would send a phishing email from a domain associated with a legitimate-looking but fake company that was inquiring about spending a great deal of money bringing many important guests to a specific property on a specific date. The emails are often sent to sales and event managers at these lodging facilities, with instructions for checking the attached (booby-trapped) document for specifics about guest and meeting room requirements.

Among today’s fastest-growing cybercrime epidemics is “ransomware,” malicious software that encrypts your computer files, photos, music and documents and then demands payment in Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks in recent years comes from the proliferation of point-and-click tools sold in the cybercrime underground that make it stupid simple for anyone to begin extorting others for money.

Recently, I came across an extremely slick and professionally produced video advertisement promoting the features and usability of “Philadelphia,” a ransomware-as-a-service crimeware package that is sold for roughly $400 to would-be cybercriminals who dream of carving out their own ransomware empires.

This stunning advertisement does a thorough job of showcasing Philadelphia’s many features, including the ability to generate PDF reports and charts of victims “to track your malware campaigns” as well as the ability to plot victims around the world using Google Maps.

“Everything just works,” claim the proprietors of Philadelphia. “Get your lifetime copy. One payment. Free updates. No monthly fees.”

One interesting feature of this ransomware package is the ability to grant what the program’s architects call “mercy.” This refers to the desperate and heartbreaking pleas that ransomware purveyors often hear from impecunious victims whose infections have jeopardized some priceless and irreplaceable data — such as photos of long lost loved ones.

I’ll revisit the authors of this ransomware package in a future post. For now, just check out their ad. It’s fairly chilling.

This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.

The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).

If we look on the backside of this skimmer, we can see the electronics needed to intercept the PIN. The source who shared these pictures said an employee thought the PIN pad buttons were a little too difficult to press down, and soon discovered this plastic overlay and others just like it on two more self-checkout terminals.

Here’s a closeup of the electronics that power this skimmer (sorry, this is the highest resolution photo available):

This model of overlay skimmers appears to be quite similar to a version sold in the cybercrime underground and detailed in this post.

According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN “2016” on a Bluetooth-enabled wireless device.

However, the source said none of the overlay skimmers they found appeared to have any on-board data storage, suggesting the thieves had planted a second wireless device somewhere in or near the store and were hoovering up card and PIN data via Bluetooth in real time. Or, perhaps the crooks were simply sitting outside the store in the parking lot, using a laptop and high-gain antenna to pull down card and PIN data.

“We combed the property for something like an old cell phone gathering data, but we didn’t find anything,” the source told KrebsOnSecurity.

Customers generally are the first line of defense against these types of scams. Not long ago, KrebsOnSecurity published a post on how to spot Ingenico self-checkout skimmers. Unfortunately, most of the telltale signs are only noticeable if you are already well familiar with the appearance of a legitimate Ingenico ISC 250 terminal. Nevertheless, most of these skimmers will detach themselves with a gentle tug on the card reader.

For more tips on spotting these Ingenico overlay skimmers, check out this post. Want to read more about skimming devices, check out my series, All About Skimmers.

In another strange tale from the kinetic-attack-meets-cyberattack department, earlier this week I heard from a loyal reader in Brazil whose wife was recently mugged by three robbers who nabbed her iPhone. Not long after the husband texted the stolen phone — offering to buy back the locked device — he soon began receiving text messages stating the phone had been found. All he had to do to begin the process of retrieving the device was click the texted link and log in to the phishing page mimicking Apple’s site.

Edu Rabin is a resident of Porto Alegre, the capital and largest city of the Brazilian state of Rio Grande do Sul in southern Brazil. Rabin said three thugs robbed his wife last Saturday in broad daylight. Thankfully, she was unharmed and all they wanted was her iPhone 5s.

Rabin said he then tried to locate the device using the “Find my iPhone” app.

“It was already in a nearby city, where the crime rates are even higher than mine,” Rabin said.

He said he then used his phone to send the robbers a message offering to buy back his wife’s phone.

“I’d sent a message with my phone number saying, ‘Dear mister robber, since you can’t really use the phone, I’m preparing to rebuy it from you. All my best!’ This happened on Saturday. On Sunday, I’d checked again the search app and the phone was still offline and at same place.”

But the following day he began receiving text messages stating that his phone had been recovered.

“On Monday, I’d started to receive SMS messages saying that my iphone had been found and a URL to reach it,” Rabin said. Here’s a screenshot of one of those texts:

The link led to a page that looks exactly like the Brazilian version of Apple’s sign-in page, but which is hosted on a site that allows free Web hosting.

Rabin said he didn’t fall for the ruse, but that he imagines the scam would trick quite a few people who have lost their iPhone and are anxious to get it back.

Leave the “icloud” off the end of that texted URL and we can see a phony copy of Apple’s “Find My iPhone” login page that is still live (the hosting provider has been notified):

But the scammers didn’t stop there in trying to phish the Apple ID and password for his iPhone account. Rabin said that just two days later, he received an odd, automated call on his mobile.

“It came from a strange number and a voice sounding like Siri or the [Google] Waze voice, informing me that my iPhone had been found and to look for my SMS for more info,” Rabin said. “That’s when I thought I had to tell this story to someone. To me, it really got to another level, connecting the lowest kind of criminals to a high profile one (probably went to school and college) that can buy (or even create) this kind of scam.”

The high cost of smart phones makes mobile device theft a serious problem everywhere in the world, not just Brazil. If you use an Apple device, it’s a good idea to turn on the “Find My iPhone” feature using the Find My iPhone App, so that when or if the device gets lost you can located it by signing into icloud.com/find.

If your Apple device is lost or stolen, check out Apple’s advice on how to manage the loss, depending on the severity of the situation. In Rabin’s case, even though the phone is currently turned off, he has the options to put it in “Lost mode,” “lock it,” or “remotely erase it.” The next time your device is online, these actions will take effect.

Also, try to make a habit of regularly synching your device to your computer, so that in the event your phone is lost or stolen your data is backed up and you don’t have to worry about remotely wiping important data that may not already be saved locally.